SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PHP FirstPost Vendors:   [Multiple Authors/Vendors]
PHP FirstPost Weblog Discloses Web Installation Directory to Remote Users
SecurityTracker Alert ID:  1003809
SecurityTracker URL:  http://securitytracker.com/id/1003809
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 13 2002
Impact:   Disclosure of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.1
Description:   ALPER Research Labs issued an advisory warning of an information disclosure vulnerability in the PHP FirstPost weblog. A remote user can determine the web root directory installation path.

A remote user can submit a specially crafted HTTP GET request referring to an invalid post number to determine the absolute path to the web root directory.

A demonstration exploit URL is provided:

http://PHPFirstPost_site/article.php?article=4965&post=NO_SUCH_NUMBER

Impact:   A remote user can determine the full installation path for the web root directory.
Solution:   No vendor solution was available at the time of this entry. The vendor has reportedly confirmed the vulnerability and has noted that the project is currently "on hold" for a while but that the vulnerability will be fixed in the planned new version release.

The author of the advisory suggests the following as a workaround:

Put an IF ELSE statement in the article.php, like;
if ($requested_post_number == "") {
die ("Post number not found!");
}
else {
// the original script functions
}

Vendor URL:  sourceforge.net/projects/phpfirstpost/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  [ARL02-A05] PHP FirstPost System Information Path Disclosure




+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A05      ---/----------/+
+/-----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : PHP FirstPost System Information 
                           Path Disclosure Vulnerability
Software Package   : PHP First Post
Vendor Homepage   : 
http://sourceforge.net/projects/phpfirstpost/
Vulnerable Versions: v0.1
Platforms                 : PHP Dependent
Vulnerability Type     : Input Validation Error
Vendor Contacted     : 11/03/2002
Vendor Replied          :12/03/2002
Prior Problems     : N/A
Current Version    : v0.1 (vulnerable)


Summary
-------
PHP FirstPost is yet another PHP weblog. This one, 
however, is based on Scoop, and has the open 
submission 
queue and comment rating system. 

A vulnerability exists in PHP FirstPost, which could 
allow any remote user to view the full path to the web 
root.


Details
-------
If a remote user submits a maliciously crafted HTTP 
request 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed.
This issue may be exploited by requesting an invalid 
post number, independent of the article number.

Example:
http://PHPFirstPost_site/article.php?
article=4965&post=NO_SUCH_NUMBER
Where NO_SUCH_NUMBER is a non-existing post 
reply number.

This would return the article (if it exists) and below it 
the web root path in an error message;
"Warning: Unable to jump to row 0 on MySQL result 
index 11 
in /home/httpd/examplesite/html/article.php on line 
737"


Solution
--------
The vendor verified the vulnerability in PHP FirstPost. 
And added 
that the project was "on hold" for a while but they said 
that they are 
planning to release a new version with new features 
and the fix for the 
issue in the not-too-distant future.

I suggest the following as a workaround:

Put an IF ELSE statement in the article.php, like;
if ($requested_post_number == "") {
die ("Post number not found!");
}
else {
// the original script functions
}

Credits
-------
Discovered on 11, March, 2002 by Ahmet Sabri 
ALPER 
salper@olympos.org
Ahmet Sabri ALPER
Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://sourceforge.net/projects/phpfirstpost/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC