OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Sat Mar 16 2002 - 17:24:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A07 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : ARSC Really Simple Chat
                         System Information Path Disclosure
    Vulnerability
    Software Package : ARSC Really Simple Chat
    Vendor Homepage :
    http://manuel.kiessling.net/projects/software/arsc/
    Vulnerable Versions: v1.0.1 and v1.0
    Platforms : PHP Dependent
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/03/2002
    Vendor Replied : 15/03/2002
    Prior Problems : N/A
    Current Version : v1.0.1 (vulnerable)


    Summary
    -------
    ARSC is a webchat system that uses PHP and
    MySQL and allows web based chatting with almost
    every browser type; using JavaScript, frames and
    server push / socket server on modern browsers
    down to a one-page reload-yourself lynx version.

    A vulnerability exists in ARSC Really Simple Chat,
    which could allow any remote user to view the full
    path to the web root.


    Details
    -------
    If any user submits a maliciously crafted HTTP
    request to the site running ARSC Really Simple Chat,
    this will enable a remote user to reveal the absolute
    path to the web root and also more information about
    the system might be revealed.

    This issue may be exploited by requesting an invalid
    language file in "home.php".

    Example:
    http://ARSC_site/home.php?arsc_language=elvish
    where "elvish" is a non-existing language file.

    This would return the web root path in an error
    message;
    "Warning: Failed
    opening 'shared/language/elvish.inc.php'
    for inclusion (include_path='.:/usr/local/lib/php') in
    /var/ftproot/blahblah/site/home.php on line 6"


    This information may be used to aid in
    further "intelligent" attacks against the host running
    the vulnerable ARSC Really Simple Chat system.


    Solution
    --------
    The vendor confirmed the vulnerability in ARSC
    Really Simple Chat, versions 1.0.1 and 1.0 . They
    added that they will be releasing a new version soon,
    which will be immune to this vulnerability and will be
    named v1.0.1p1 .

    For now you can use my suggested workaround:
    Adding an IF-ELSE statement in "home.php" to check
    if the requested language pack is installed or not.

    $dosya="shared/language/".$arsc_language.".inc.php
    ";
    if (! file_exists ($dosya)) {
       die ("Language file missing.");
    }

    This will end the script if a non-existing language was
    selected. Add this piece of code to the beginning
    of "home.php" with no warranties.


    Credits
    -------
    Discovered on 15, March, 2002 by
    Ahmet Sabri ALPER
    salperolympos.org
    Olympos Turkish Security Portal:
    http://www.olympos.org


    References
    ----------
    Product Web Page:
    http://manuel.kiessling.net/projects/software/arsc/