[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HTB22837: Path disclosure in PrestaShop

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HTB22837: Path disclosure in PrestaShop
From: advisory@xxxxxxxxxxx
Date: Thu, 3 Mar 2011 12:52:14 +0100 (CET)

Vulnerability ID: HTB22837
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_prestashop.html
Product: PrestaShop
Vendor: PrestaShop ( http://www.prestashop.com/ ) 
Vulnerable Version: Prestashop 1.3.6 final
Vendor Notification: 17 February 2011 
Vulnerability Type: Path disclosure
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "pagination.php", 
"product-sort.php, "modules/hipay/mapi/mapi_tax.php" scripts, it's possible to 
generate an error that will reveal the full path of the script.
A remote user can determine the full path to the web root directory and other 
potentially sensitive information.

The following PoC is available:

http://host/pagination.php
http://host/product-sort.php
http://host/modules/hipay/mapi/mapi_tax.php

Prev by Date: HTB22865: XSS vulnerability in xtcModified
Next by Date: [ MDVSA-2011:040 ] pango
Previous by thread: HTB22865: XSS vulnerability in xtcModified
Next by thread: [ MDVSA-2011:040 ] pango
Index(es):
- Date
- Thread