OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Mon Jun 10 2002 - 06:47:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A14 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : ZenTrack System Information Path Disclosure
    Vulnerability
    Software Package : zenTrack
    Vendor Homepage : http://zentrack.phpzen.net/
    Vulnerable Versions: v2.0.3, v2.0.2beta and older
    Platforms : OS Independent, PHP
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 01/06/2002
    Vendor Replied : No Reply
    Prior Problems : N/A
    Current Version : v2.0.3 (vulnerable)


    Summary
    -------
    ZenTrack is a complete project management, bug tracking,
    and ticket/tech support/phone log system. Highly
    configurable and adaptable. Supports most databases,
    including mySql, Oracle, and Postgres. Works on Windows
    and Unix systems.

    A vulnerability exists in zenTrack, which could allow any
    remote user to view the full path to the web root and
    maybe some more sensitive information.


    Details
    -------
    If any user submits a maliciously crafted HTTP request
    to the site running zenTracker, this will enable the remote
    user to reveal the absolute path to the web root and also
    more information about the system might be revealed.

    This issue may be exploited by requesting an invalid ticket
    ID. The $id variable must contain a non-existing, but an
    integer value.

    Proof-of-concept link example:
    http://[TARGET]/ticket.php?id=99999
    This would return the web root at the top of the page like;
    "Warning: extract() expects first argument to be an array in
    /home/users/zen/sub/zentr/www/ticket.php on line 49"


    Solution
    --------
    The vendor was unreachable or did not care to reply.
    A new version was released on 03/06/2002, but the vendor
    seems unaware of the issue.

    Workaround;
    Check if the "$id" ticket number exists.


    Credits
    -------
    Discovered on 01, June, 2002 by
    Ahmet Sabri ALPER <salperolympos.org>
    ALPER Research Labs.

    The ALPER Research Labs. [ARL] workers are freelancer
    security professionals and WhiteHat hackers. The ARL
    workers are available for hiring for legal jobs.
    The ARL also supports Open Software Community, by detecting
    possible security issues in GPL or any other Public Licensed
    product.


    References
    ----------
    Product Web Page: http://zentrack.phpzen.net/
    Olympos: http://www.olympos.org/