Security Advisory: [ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  CGI bugs
  PHProjekt multiple vulnerabilities
  Command execution in phprojekt.
  X_holes

From: Ahmet Sabri ALPER <s_alper_(at)_hotmail.com>
Date: 15.03.2002
Subject: [ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability

+/--------\------- ALPER Research Labs   -----/--------/+

+/---------\------ Security Advisory    ----/---------/+

+/----------\-----    ID: ARL02-A06      ---/----------/+

+/-----------\---- salper@olympos.org    --/-----------/+

Advisory Information

--------------------

Name               : Black Tie Project System

Information Path Disclosure Vulnerability

Software Package   : Black Tie Project (BTP)

Vendor Homepage    : http://btp.logiciel-fr.com/

Vulnerable Versions: v0.5b, v0.5, v04.b

Platforms               : PHP Dependent

Vulnerability Type : Input Validation Error

Vendor Contacted : 11/03/2002

Vendor Replied     : 12/03/2002

Prior Problems     : N/A

Current Version    : v0.5b (vulnerable)

Summary

-------

BTP (the Black Tie Project) is a very modular portal

system with independent modules. It allows you to

add and remove a module, and create and customize

your own modules at any time.

BTP is written in French and is coded in PHP.

It includes modules with wap, articles, comment,

mail, news, and more.

A vulnerability exists in BTP, which could allow any

remote user to view the full path to the web root.

Details

-------

If any user submits a maliciously crafted HTTP

request to the site running BTP, this will enable a

remote user to reveal the absolute path to the web

root and also more information about the system

might be revealed.

This issue may be exploited by requesting an invalid

category ID (cid) in "categorie.php3".

Example:

http://BTP_site/categorie.php3?cid=blahblah

Where "blahblah" is a non-existing category number.

This would return the the web root path in an error

message;

"Warning: Unable to jump to row 0 on MySQL result

index 2

in /home/software/a/htdocs/site/examplesite.com/cate

gorie.php3 on line 11"

This information may be used to aid in further

"intelligent" attacks against the host running the

vulnerable BTP system.

Solution

--------

The vendor confirmed the vulnerability in the Black

Tie Project.

And stated that they will be releasing a new version

with better modules and increased security in a few

months.

I suggest the following as a workaround:

Put an IF ELSE statement in the categorie.php3, like;

if ($requested_cat_number == "") {

die ("Categorie number not found!");

}

else {

// the original script functions

}

Credits

-------

Discovered on 11, March, 2002 by

Ahmet Sabri ALPER

salper@olympos.org

Olympos Turkish Security Portal:

http://www.olympos.org

References

----------

Product Web Page:

http://sourceforge.net/projects/phpfirstpost/