From s_alper@hotmail.com Mon Jun 10 16:55:49 2002 From: Ahmet Sabri ALPER To: bugtraq@securityfocus.com Date: 10 Jun 2002 11:47:53 -0000 Subject: [ARL02-A14] ZenTrack System Information Path Disclosure Vulnerability +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A14 ----/----------/+ +/-----------\----- salper@olympos.org ---/-----------/+ Advisory Information -------------------- Name : ZenTrack System Information Path Disclosure Vulnerability Software Package : zenTrack Vendor Homepage : http://zentrack.phpzen.net/ Vulnerable Versions: v2.0.3, v2.0.2beta and older Platforms : OS Independent, PHP Vulnerability Type : Input Validation Error Vendor Contacted : 01/06/2002 Vendor Replied : No Reply Prior Problems : N/A Current Version : v2.0.3 (vulnerable) Summary ------- ZenTrack is a complete project management, bug tracking, and ticket/tech support/phone log system. Highly configurable and adaptable. Supports most databases, including mySql, Oracle, and Postgres. Works on Windows and Unix systems. A vulnerability exists in zenTrack, which could allow any remote user to view the full path to the web root and maybe some more sensitive information. Details ------- If any user submits a maliciously crafted HTTP request to the site running zenTracker, this will enable the remote user to reveal the absolute path to the web root and also more information about the system might be revealed. This issue may be exploited by requesting an invalid ticket ID. The $id variable must contain a non-existing, but an integer value. Proof-of-concept link example: http://[TARGET]/ticket.php?id=99999 This would return the web root at the top of the page like; "Warning: extract() expects first argument to be an array in /home/users/zen/sub/zentr/www/ticket.php on line 49" Solution -------- The vendor was unreachable or did not care to reply. A new version was released on 03/06/2002, but the vendor seems unaware of the issue. Workaround; Check if the "$id" ticket number exists. Credits ------- Discovered on 01, June, 2002 by Ahmet Sabri ALPER ALPER Research Labs. The ALPER Research Labs. [ARL] workers are freelancer security professionals and WhiteHat hackers. The ARL workers are available for hiring for legal jobs. The ARL also supports Open Software Community, by detecting possible security issues in GPL or any other Public Licensed product. References ---------- Product Web Page: http://zentrack.phpzen.net/ Olympos: http://www.olympos.org/