[24663] in bugtraq
[ARL02-A06] Black Tie Project System Information Path Disclosure
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Wed Mar 13 16:33:15 2002
Date: 12 Mar 2002 17:26:52 -0000
Message-ID: <20020312172652.714.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------ Security Advisory ----/---------/+
+/----------\----- ID: ARL02-A06 ---/----------/+
+/-----------\---- salper@olympos.org --/-----------/+
Advisory Information
--------------------
Name : Black Tie Project System
Information Path Disclosure Vulnerability
Software Package : Black Tie Project (BTP)
Vendor Homepage : http://btp.logiciel-fr.com/
Vulnerable Versions: v0.5b, v0.5, v04.b
Platforms : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted : 11/03/2002
Vendor Replied : 12/03/2002
Prior Problems : N/A
Current Version : v0.5b (vulnerable)
Summary
-------
BTP (the Black Tie Project) is a very modular portal
system with independent modules. It allows you to
add and remove a module, and create and customize
your own modules at any time.
BTP is written in French and is coded in PHP.
It includes modules with wap, articles, comment,
mail, news, and more.
A vulnerability exists in BTP, which could allow any
remote user to view the full path to the web root.
Details
-------
If any user submits a maliciously crafted HTTP
request to the site running BTP, this will enable a
remote user to reveal the absolute path to the web
root and also more information about the system
might be revealed.
This issue may be exploited by requesting an invalid
category ID (cid) in "categorie.php3".
Example:
http://BTP_site/categorie.php3?cid=blahblah
Where "blahblah" is a non-existing category number.
This would return the the web root path in an error
message;
"Warning: Unable to jump to row 0 on MySQL result
index 2
in /home/software/a/htdocs/site/examplesite.com/cate
gorie.php3 on line 11"
This information may be used to aid in further
"intelligent" attacks against the host running the
vulnerable BTP system.
Solution
--------
The vendor confirmed the vulnerability in the Black
Tie Project.
And stated that they will be releasing a new version
with better modules and increased security in a few
months.
I suggest the following as a workaround:
Put an IF ELSE statement in the categorie.php3, like;
if ($requested_cat_number == "") {
die ("Categorie number not found!");
}
else {
// the original script functions
}
Credits
-------
Discovered on 11, March, 2002 by
Ahmet Sabri ALPER
salper@olympos.org
Olympos Turkish Security Portal:
http://www.olympos.org
References
----------
Product Web Page:
http://sourceforge.net/projects/phpfirstpost/
