OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Tue Mar 12 2002 - 11:26:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A06 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : Black Tie Project System
    Information Path Disclosure Vulnerability
    Software Package : Black Tie Project (BTP)
    Vendor Homepage : http://btp.logiciel-fr.com/
    Vulnerable Versions: v0.5b, v0.5, v04.b
    Platforms : PHP Dependent
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 11/03/2002
    Vendor Replied : 12/03/2002
    Prior Problems : N/A
    Current Version : v0.5b (vulnerable)


    Summary
    -------
    BTP (the Black Tie Project) is a very modular portal
    system with independent modules. It allows you to
    add and remove a module, and create and customize
    your own modules at any time.
    BTP is written in French and is coded in PHP.
    It includes modules with wap, articles, comment,
    mail, news, and more.

    A vulnerability exists in BTP, which could allow any
    remote user to view the full path to the web root.


    Details
    -------
    If any user submits a maliciously crafted HTTP
    request to the site running BTP, this will enable a
    remote user to reveal the absolute path to the web
    root and also more information about the system
    might be revealed.

    This issue may be exploited by requesting an invalid
    category ID (cid) in "categorie.php3".

    Example:
    http://BTP_site/categorie.php3?cid=blahblah
    Where "blahblah" is a non-existing category number.

    This would return the the web root path in an error
    message;
    "Warning: Unable to jump to row 0 on MySQL result
    index 2
    in /home/software/a/htdocs/site/examplesite.com/cate
    gorie.php3 on line 11"

    This information may be used to aid in further
     "intelligent" attacks against the host running the
    vulnerable BTP system.


    Solution
    --------
    The vendor confirmed the vulnerability in the Black
    Tie Project.
    And stated that they will be releasing a new version
    with better modules and increased security in a few
    months.

    I suggest the following as a workaround:

    Put an IF ELSE statement in the categorie.php3, like;
    if ($requested_cat_number == "") {
    die ("Categorie number not found!");
    }
    else {
    // the original script functions
    }


    Credits
    -------
    Discovered on 11, March, 2002 by
    Ahmet Sabri ALPER
    salperolympos.org

    Olympos Turkish Security Portal:
    http://www.olympos.org


    References
    ----------
    Product Web Page:
    http://sourceforge.net/projects/phpfirstpost/