The following web applications are found to have full path disclosure
flaws (Ref: WASC-13, CWE-200).
-----------------------------------------
htmlpurifier-4.2.0
phpids-0.6.5
PhpSecInfo
111WebCalendar-1.2.3
adodb
aef-1.0.8
ATutor-2.0
auth
b2evolution-3.3.3
bbpress-1.0.2
cftp-r80
claroline-1.9.7
clipbucket_2.0.9_stable_Fr
cmsmadesimple-1.9.2
CodeIgniter_1.7.2
concrete5.4.0.5
concrete5.4.1.1
CopperminePhotoGallery-1.5.12
craftysyntax3.0.2
CubeCart-4.4.3
dokuwiki-2009-12-25c
Dolphin-7.0.4
dotproject-2.1.4
drupal-7.0
e107_0.7.24
eggblog_4.1.2
elgg-1.7.6
ExoPHPDesk_1.2.1
eyeOS-2.2.0.0
fengoffice_1.7.2
freeway_1_5_alpha_Burstow
frontaccounting-2.3.1
helpcenterlive-2.1.7
hesk-2.2
jcow.4.2.1
joomla-1.6.0
kamads-2_b3
kplaylist.1.8.502
lifetype-1.2.10
limesurvey190plus-build9642-20101214
linpha-1.3.4
mambo-4.6.5
mantisbt-1.2.4
moodle-2.0.1
mound-2.1.6
mybb-1.6
nucleus3.61
NuSOAP
open-realty-2.5.8
OpenBlog-1.2.1
opencart_v1.4.9.3
opendocman-1.2.6-svn-2011-01-21
orangehrm-2.6.0.2
oscommerce-3.0a5
phorum-5.2.15a
PHP-Easy-Survey-Package-2.1.1
PHP-Nuke-8.0
PHP-Point-Of-Sale-10.7
phpads-2.0
phpAlbum_v0.4.1.14.fix06
phpBook-2.1.0
phpcollab-2.5
PHPDevShell-V3.0.0-Beta-4b
PHPfileNavigator-2.3.3
phpFormGen-2.09
phpfreechat-1.3
PhpGedView-all-4.2.3
phpicalendar-2.4
phpld-2-151.2.0
phpmyfaq-2.6.13
phprojekt-6.0.5
phpScheduleIt_1.2.12
phpwcms-1.4.7r412
piwigo-2.1.5
piwik-1.1
pixelpost_v1.7.3
pixie_v1.04
PliggCMS1.1.3
podcastgen1.3
prestashop_1.4.0.6
projectpier-0.8.0.3
serendipity-1.5.5
Smarty
statusnet-0.9.6
SugarCRM-6.1.0
taskfreak-multi-mysql-0.6
tcexam_11.1.015
textpattern-4.2.0
thebuggenie_2.1.2
theHostingTool-v1.2.3
TinyMCE
TinyWebGallery-1.8.3
tomatocart-1.1.3
vanilla-2.0.16
WebCalendar-1.2.3
WeBid-1.0.0
webinsta-mail-list-1.3e
WebsiteBaker_2.8.1
wordpress-3.0.4
xajax
xoops-2.5.0
YOURS
Zend
zikula-1.2.4
------------------------------------------------
Vulnerable files list for each application can be found at
http://yehg.net/lab/pr0js/advisories/path_disclosure/
http://yehg.net/lab/pr0js/advisories/path_disclosure.zip
Solution:
Disable php error_display off.
For those who manage servers, set php error_display setting as 'on' in
php.ini file.
For those who don't, simple put "php_flag error_display off" in
.htaccess file of web root directory (unless it is restricted by
php_admin_flag)
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd