[ARL02-A05] PHP FirstPost System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Tue Mar 12 2002 - 06:24:49 PST

Next message: Neil W Rickert: "Re: security problem fixed in zlib 1.1.4"

Previous message: Marc Maiffret: "ADVISORY: Windows Shell Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A05 ---/----------/+ +/-----------\---- salperat_private --/-----------/+ Advisory Information -------------------- Name : PHP FirstPost System Information Path Disclosure Vulnerability Software Package : PHP First Post Vendor Homepage : http://sourceforge.net/projects/phpfirstpost/ Vulnerable Versions: v0.1 Platforms : PHP Dependent Vulnerability Type : Input Validation Error Vendor Contacted : 11/03/2002 Vendor Replied :12/03/2002 Prior Problems : N/A Current Version : v0.1 (vulnerable) Summary ------- PHP FirstPost is yet another PHP weblog. This one, however, is based on Scoop, and has the open submission queue and comment rating system. A vulnerability exists in PHP FirstPost, which could allow any remote user to view the full path to the web root. Details ------- If a remote user submits a maliciously crafted HTTP request this will enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed. This issue may be exploited by requesting an invalid post number, independent of the article number. Example: http://PHPFirstPost_site/article.php? article=4965&post=NO_SUCH_NUMBER Where NO_SUCH_NUMBER is a non-existing post reply number. This would return the article (if it exists) and below it the web root path in an error message; "Warning: Unable to jump to row 0 on MySQL result index 11 in /home/httpd/examplesite/html/article.php on line 737" Solution -------- The vendor verified the vulnerability in PHP FirstPost. And added that the project was "on hold" for a while but they said that they are planning to release a new version with new features and the fix for the issue in the not-too-distant future. I suggest the following as a workaround: Put an IF ELSE statement in the article.php, like; if ($requested_post_number == "") { die ("Post number not found!"); } else { // the original script functions } Credits ------- Discovered on 11, March, 2002 by Ahmet Sabri ALPER salperat_private Ahmet Sabri ALPER Olympos Turkish Security Portal: http://www.olympos.org References ---------- Product Web Page: http://sourceforge.net/projects/phpfirstpost/

Next message: Neil W Rickert: "Re: security problem fixed in zlib 1.1.4"
Previous message: Marc Maiffret: "ADVISORY: Windows Shell Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 11:00:40 PST