PHP-Nuke MS-Analysis Module Multiple Remote Path Disclosure Vulnerabilities

Bugtraq ID:	9946
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 22 2004 12:00AM
Updated:	Mar 22 2004 12:00AM
Credit:	Janek Vind <[email protected]> is credited with the disclosure of this issue.
Vulnerable:	MS-Analysis Website Traffic Analyzer 2.0 - Francisco Burzi PHP-Nuke 7.0 FINAL - Francisco Burzi PHP-Nuke 7.0 - Francisco Burzi PHP-Nuke 6.9 - Francisco Burzi PHP-Nuke 6.7 - Francisco Burzi PHP-Nuke 6.6 - Francisco Burzi PHP-Nuke 6.5 RC3 - Francisco Burzi PHP-Nuke 6.5 RC2 - Francisco Burzi PHP-Nuke 6.5 RC1 - Francisco Burzi PHP-Nuke 6.5 FINAL - Francisco Burzi PHP-Nuke 6.5 BETA 1 - Francisco Burzi PHP-Nuke 6.5
Not Vulnerable:

PHP-Nuke MS-Analysis Module Multiple Remote Path Disclosure Vulnerabilities

Reportedly MS-Analysis is prone to a remote information disclosure vulnerability. This issue is due to a design error that displays sensitive system information when certain errors are triggered.

The problem presents itself when an error condition is triggered in all scripts residing in the 'scripts' directory of the MS-Analysis directory. It has also been reported that this issue affects the 'mstrack.php' and 'title.php' scripts in the MS-Analysis root directory.

These issues may be leveraged to gain sensitive information about the affected system potentially aiding an attacker in mounting further attacks.

PHP-Nuke MS-Analysis Module Multiple Remote Path Disclosure Vulnerabilities

An exploit is not required to carry out this attack.

PHP-Nuke MS-Analysis Module Multiple Remote Path Disclosure Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

PHP-Nuke MS-Analysis Module Multiple Remote Path Disclosure Vulnerabilities

References:

• MS-Analysis Website Analysis Module (Maty Scripts)
  
• PHPNuke INP Homepage (PHPNuke INP)
  
• [waraxe-2004-SA#011 - Multiple vulnerabilities in MS Analysis v2.0 module for P (Janek Vind )