[ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Sat Mar 16 2002 - 15:24:45 PST

Next message: Peter Gründl: "KPMG-2002005: BitVise WinSSH Denial of Service"

Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0040 - zlib"
Next in thread: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"
Reply: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A07 ---/----------/+ +/-----------\---- salperat_private --/-----------/+ Advisory Information -------------------- Name : ARSC Really Simple Chat System Information Path Disclosure Vulnerability Software Package : ARSC Really Simple Chat Vendor Homepage : http://manuel.kiessling.net/projects/software/arsc/ Vulnerable Versions: v1.0.1 and v1.0 Platforms : PHP Dependent Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : 15/03/2002 Prior Problems : N/A Current Version : v1.0.1 (vulnerable) Summary ------- ARSC is a webchat system that uses PHP and MySQL and allows web based chatting with almost every browser type; using JavaScript, frames and server push / socket server on modern browsers down to a one-page reload-yourself lynx version. A vulnerability exists in ARSC Really Simple Chat, which could allow any remote user to view the full path to the web root. Details ------- If any user submits a maliciously crafted HTTP request to the site running ARSC Really Simple Chat, this will enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed. This issue may be exploited by requesting an invalid language file in "home.php". Example: http://ARSC_site/home.php?arsc_language=elvish where "elvish" is a non-existing language file. This would return the web root path in an error message; "Warning: Failed opening 'shared/language/elvish.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/ftproot/blahblah/site/home.php on line 6" This information may be used to aid in further "intelligent" attacks against the host running the vulnerable ARSC Really Simple Chat system. Solution -------- The vendor confirmed the vulnerability in ARSC Really Simple Chat, versions 1.0.1 and 1.0 . They added that they will be releasing a new version soon, which will be immune to this vulnerability and will be named v1.0.1p1 . For now you can use my suggested workaround: Adding an IF-ELSE statement in "home.php" to check if the requested language pack is installed or not. $dosya="shared/language/".$arsc_language.".inc.php "; if (! file_exists ($dosya)) { die ("Language file missing."); } This will end the script if a non-existing language was selected. Add this piece of code to the beginning of "home.php" with no warranties. Credits ------- Discovered on 15, March, 2002 by Ahmet Sabri ALPER salperat_private Olympos Turkish Security Portal: http://www.olympos.org References ---------- Product Web Page: http://manuel.kiessling.net/projects/software/arsc/

Next message: Peter Gründl: "KPMG-2002005: BitVise WinSSH Denial of Service"
Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0040 - zlib"
Next in thread: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"
Reply: Manuel Kiessling: "Re: [ARL02-A07] ARSC Really Simple Chat System Information Path Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 13:49:35 PST