SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   ARSC Really Simple Chat Vendors:   Kiessling, Manuel
ARSC Really Simple Chat Server Discloses Web Root Directory Location to Remote Users
SecurityTracker Alert ID:  1003857
SecurityTracker URL:  http://securitytracker.com/id/1003857
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 20 2002
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0 and 1.0.1
Description:   ALPER Research Labs reported a security vulnerability in the ARSC Really Simple Chat server. A remote user can determine the path of the web root directory.

A remote user can submit a specially crafted HTTP GET request for a non-existent language file to determine the absolute path to the web root directory.

A demonstration exploit URL is provided:

http://ARSC_site/home.php?arsc_language=elvish

Impact:   A remote user can determine the path of the web root directory.
Solution:   The fixed version is now available:

Via anonymous FTP:

ftp://manuel.kiessling.net/pub/arsc/arsc1.0.1p1.tar.gz
ftp://manuel.kiessling.net/pub/arsc/arsc1.0.1p1.zip

Via HTTP:

http://manuel.kiessling.net/projects/software/arsc/download/arsc1.0.1p1.tar.gz
http://manuel.kiessling.net/projects/software/arsc/download/arsc1.0.1p1.zip

From Sourceforge via HTTP:

http://prdownloads.sourceforge.net/arsc/arsc1.0.1p1.tar.gz
http://prdownloads.sourceforge.net/arsc/arsc1.0.1p1.zip

Vendor URL:  manuel.kiessling.net/projects/software/arsc/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  PHP- and MySQL-based

Message History:   None.


 Source Message Contents

Subject:  [ARL02-A07] ARSC Really Simple Chat System Information Path




+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A07      ---/----------/+
+/-----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : ARSC Really Simple Chat
                     System Information Path Disclosure 
Vulnerability
Software Package   : ARSC Really Simple Chat
Vendor Homepage    : 
http://manuel.kiessling.net/projects/software/arsc/
Vulnerable Versions: v1.0.1 and v1.0
Platforms          : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : 15/03/2002
Prior Problems     : N/A
Current Version    : v1.0.1 (vulnerable)


Summary
-------
ARSC is a webchat system that uses PHP and 
MySQL and allows web based chatting with almost 
every browser type; using JavaScript, frames and 
server push / socket server on modern browsers 
down to a one-page reload-yourself lynx version.

A vulnerability exists in ARSC Really Simple Chat, 
which could allow any remote user to view the full 
path to the web root.


Details
-------
If any user submits a maliciously crafted HTTP 
request to the site running ARSC Really Simple Chat, 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed. 

This issue may be exploited by requesting an invalid 
language file in "home.php".

Example:
http://ARSC_site/home.php?arsc_language=elvish
where "elvish" is a non-existing language file.

This would return the web root path in an error 
message;
"Warning: Failed 
opening 'shared/language/elvish.inc.php' 
for inclusion (include_path='.:/usr/local/lib/php') in 
/var/ftproot/blahblah/site/home.php on line 6"


This information may be used to aid in 
further "intelligent" attacks against the host running 
the vulnerable ARSC Really Simple Chat system.


Solution
--------
The vendor confirmed the vulnerability in ARSC 
Really Simple Chat, versions 1.0.1 and 1.0 . They 
added that they will be releasing a new version soon, 
which will be immune to this vulnerability and will be 
named v1.0.1p1 .

For now you can use my suggested workaround:
Adding an IF-ELSE statement in "home.php" to check 
if the requested language pack is installed or not.

$dosya="shared/language/".$arsc_language.".inc.php
";
if (! file_exists ($dosya)) {
   die ("Language file missing.");
}

This will end the script if a non-existing language was 
selected. Add this piece of code to the beginning 
of "home.php" with no warranties.


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org
Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://manuel.kiessling.net/projects/software/arsc/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC