From s_alper@hotmail.com Thu Mar 14 19:18:39 2002 From: Ahmet Sabri ALPER To: bugtraq@securityfocus.com Date: 12 Mar 2002 17:26:52 -0000 Subject: [ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A06 ---/----------/+ +/-----------\---- salper@olympos.org --/-----------/+ Advisory Information -------------------- Name : Black Tie Project System Information Path Disclosure Vulnerability Software Package : Black Tie Project (BTP) Vendor Homepage : http://btp.logiciel-fr.com/ Vulnerable Versions: v0.5b, v0.5, v04.b Platforms : PHP Dependent Vulnerability Type : Input Validation Error Vendor Contacted : 11/03/2002 Vendor Replied : 12/03/2002 Prior Problems : N/A Current Version : v0.5b (vulnerable) Summary ------- BTP (the Black Tie Project) is a very modular portal system with independent modules. It allows you to add and remove a module, and create and customize your own modules at any time. BTP is written in French and is coded in PHP. It includes modules with wap, articles, comment, mail, news, and more. A vulnerability exists in BTP, which could allow any remote user to view the full path to the web root. Details ------- If any user submits a maliciously crafted HTTP request to the site running BTP, this will enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed. This issue may be exploited by requesting an invalid category ID (cid) in "categorie.php3". Example: http://BTP_site/categorie.php3?cid=blahblah Where "blahblah" is a non-existing category number. This would return the the web root path in an error message; "Warning: Unable to jump to row 0 on MySQL result index 2 in /home/software/a/htdocs/site/examplesite.com/cate gorie.php3 on line 11" This information may be used to aid in further "intelligent" attacks against the host running the vulnerable BTP system. Solution -------- The vendor confirmed the vulnerability in the Black Tie Project. And stated that they will be releasing a new version with better modules and increased security in a few months. I suggest the following as a workaround: Put an IF ELSE statement in the categorie.php3, like; if ($requested_cat_number == "") { die ("Categorie number not found!"); } else { // the original script functions } Credits ------- Discovered on 11, March, 2002 by Ahmet Sabri ALPER salper@olympos.org Olympos Turkish Security Portal: http://www.olympos.org References ---------- Product Web Page: http://sourceforge.net/projects/phpfirstpost/