=========================================================
          H Zero Seven Security Advisory

Product   : FlyingDog Software - Powerslave Portalmanager
Impact    : information leak vulnerability  
Issue date: 19 Sept. 2003 
Update    : Powerslave 4.4.3pl3 
Affected  : Powerslave 4.3 
=========================================================

Summary:
========

The Powerslave rapid prototyping server unites all 
functions of a high end content management system and 
offers in addition a development platform for a whole 
abundance of applications.

Powerslave features a powerfull Url-rewrite function
who can be used to obtain Informations about the Database-
Structur and under certain conditions execute arbitary
SQL-Code (not tested).


Informations:
=============

Powerslave 4.3 allows URL-rewriting: instead of the PHP 
standard "?" in the URL, variables are seperated by colons. 
This helps e.g. Google to spider and index the site.

If you enter arbitary sql-commands after the sql-id field
in the Document-URL you can obtain informations about
the Database-Structure. 


Example:

http://example.com/powerslave,id,10;,nodeid,,_language,uk.html
                                   |
                                   |- ; or modified querys
                                        and table-numbers.

Error: Could't find article!
SELECT example_table.* FROM example_table WHERE example_table.ID=10;


Fix:
====

Upgrade to Powerslave 4.4.3pl3

Disclaimer:
===========

This advisory does not claim to be complete. The informations
may be inaccurate or wrong. Possible exploit code is only written
for testing purposes. Articles based on informatins in this
advisory should have an link to this document.
 

Exploit:
========

See Informations.

Reference:
==========

H Zero Seven - Unix/Linux Developer Team
http://www.h07.org


Advisory:
=========

ftp://ftp.h07.org/pub/h07.org/projects/papers/h07adv-powerslave.txt