OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Tue Mar 12 2002 - 08:24:49 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A05 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : PHP FirstPost System Information
                               Path Disclosure Vulnerability
    Software Package : PHP First Post
    Vendor Homepage :
    http://sourceforge.net/projects/phpfirstpost/
    Vulnerable Versions: v0.1
    Platforms : PHP Dependent
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 11/03/2002
    Vendor Replied :12/03/2002
    Prior Problems : N/A
    Current Version : v0.1 (vulnerable)


    Summary
    -------
    PHP FirstPost is yet another PHP weblog. This one,
    however, is based on Scoop, and has the open
    submission
    queue and comment rating system.

    A vulnerability exists in PHP FirstPost, which could
    allow any remote user to view the full path to the web
    root.


    Details
    -------
    If a remote user submits a maliciously crafted HTTP
    request
    this will enable a remote user to reveal the absolute
    path to the web root and also more information about
    the system might be revealed.
    This issue may be exploited by requesting an invalid
    post number, independent of the article number.

    Example:
    http://PHPFirstPost_site/article.php?
    article=4965&post=NO_SUCH_NUMBER
    Where NO_SUCH_NUMBER is a non-existing post
    reply number.

    This would return the article (if it exists) and below it
    the web root path in an error message;
    "Warning: Unable to jump to row 0 on MySQL result
    index 11
    in /home/httpd/examplesite/html/article.php on line
    737"


    Solution
    --------
    The vendor verified the vulnerability in PHP FirstPost.
    And added
    that the project was "on hold" for a while but they said
    that they are
    planning to release a new version with new features
    and the fix for the
    issue in the not-too-distant future.

    I suggest the following as a workaround:

    Put an IF ELSE statement in the article.php, like;
    if ($requested_post_number == "") {
    die ("Post number not found!");
    }
    else {
    // the original script functions
    }

    Credits
    -------
    Discovered on 11, March, 2002 by Ahmet Sabri
    ALPER
    salperolympos.org
    Ahmet Sabri ALPER
    Olympos Turkish Security Portal:
    http://www.olympos.org


    References
    ----------
    Product Web Page:
    http://sourceforge.net/projects/phpfirstpost/