SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Black Tie Project (BTP) Vendors:   Logiciel-fr.com
Black Tie Project Web Portal Software Discloses Web Document Directory Installation Path to Remote Users
SecurityTracker Alert ID:  1003819
SecurityTracker URL:  http://securitytracker.com/id/1003819
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 13 2002
Impact:   Disclosure of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.5b and prior versions
Description:   ALPER Research Labs issued an advisory warning of an information disclosure vulnerability in the Black Tie Project (BTP) portal system. A remote user can determine the full path of the web document directory.

A remote user can reportedly submit a specially crafted HTTP GET request to determine the absolute path to the web root directory and additional system information.

The vulnerability reportedly can be triggered with the following type of URL requesting an invalid 'cid':

http://[targethost]/categorie.php3?cid=blahblah

Impact:   A remote user can determine the absolute path to the web root directory and additional system information.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.

The author of the report suggests the following as a workaround:

Put an IF ELSE statement in the categorie.php3, like;
if ($requested_cat_number == "") {
die ("Categorie number not found!");
}
else {
// the original script functions
}

Vendor URL:  btp.logiciel-fr.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  [ARL02-A06] Black Tie Project System Information Path Disclosure




+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A06      ---/----------/+
+/-----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : Black Tie Project System       
Information  Path Disclosure Vulnerability
Software Package   : Black Tie Project (BTP)
Vendor Homepage    : http://btp.logiciel-fr.com/
Vulnerable Versions: v0.5b, v0.5, v04.b
Platforms               : PHP Dependent
Vulnerability Type  : Input Validation Error
Vendor Contacted : 11/03/2002
Vendor Replied     : 12/03/2002
Prior Problems     : N/A
Current Version    : v0.5b (vulnerable)


Summary
-------
BTP (the Black Tie Project) is a very modular portal 
system with independent modules. It allows you to 
add and remove a module, and create and customize 
your own modules at any time. 
BTP is written in French and is coded in PHP. 
It includes modules with wap, articles, comment, 
mail, news, and more.

A vulnerability exists in BTP, which could allow any 
remote user to view the full path to the web root.


Details
-------
If any user submits a maliciously crafted HTTP 
request to the site running BTP, this will enable a 
remote user to reveal the absolute path to the web 
root and also more information about the system 
might be revealed. 

This issue may be exploited by requesting an invalid 
category ID (cid) in "categorie.php3".

Example:
http://BTP_site/categorie.php3?cid=blahblah
Where "blahblah" is a non-existing category number.

This would return the the web root path in an error 
message;
"Warning: Unable to jump to row 0 on MySQL result 
index 2 
in /home/software/a/htdocs/site/examplesite.com/cate
gorie.php3 on line 11"

This information may be used to aid in further
 "intelligent" attacks against the host running the 
vulnerable BTP system.


Solution
--------
The vendor confirmed the vulnerability in the Black 
Tie Project. 
And stated that they will be releasing a new version 
with better modules and increased security in a few 
months.

I suggest the following as a workaround:

Put an IF ELSE statement in the categorie.php3, like;
if ($requested_cat_number == "") {
die ("Categorie number not found!");
}
else {
// the original script functions
}


Credits
-------
Discovered on 11, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org

Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://sourceforge.net/projects/phpfirstpost/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC