Aerosol Posted February 18, 2015 Report Posted February 18, 2015 *DLGuard Full Path Disclosure (Information Leakage) SecurityVulnerabilities*Exploit Title: DLGuard /index.php c parameter Full Path Disclosure SecurityVulnerabilitiesProduct: DLGuardVendor: DLGuardVulnerable Versions: v4.5Tested Version: v4.5Advisory Publication: Feb 18, 2015Latest Update: Feb 18, 2015Vulnerability Type: Information Exposure [CWE-200]CVE Reference: *Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]*Advisory Details:**(1) Vendor & Product Description:**Vendor:*DLGuard*Product & Version:*DLGuardv4.5*Vendor URL & Download:*DLGuard can be downloaded from here,http://www.dlguard.com/dlginfo/index.php*Product Introduction:*“DLGuard is a powerful, yet easy to use script that you simply upload toyour website and then rest assured that your internet business is not onlysafe, but also much easier to manage, automating the tasks you just don'thave the time for.""DLGuard supports the three types, or methods, of sale on the internet:<1>Single item sales (including bonus products!)<2>Multiple item sales<3>Membership websites"*(2) Vulnerability Details:*DLGuard has a security problem. It can be exploited by Full Path Disclosureattacks.*(2.1)* The first vulnerability occurs at “index.php” page with ""c"parameters of it.*References:*http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html--Wang Jing,Division of Mathematical Sciences (MAS),School of Physical and Mathematical Sciences (SPMS),Nanyang Technological University (NTU),Singapore.http://www.tetraph.com/wangjing/https://twitter.com/justqdjingSource Quote
