[25702] in bugtraq
[ARL02-A14] ZenTrack System Information Path Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Mon Jun 10 13:21:45 2002
Date: 10 Jun 2002 11:47:53 -0000
Message-ID: <20020610114753.16654.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A14 ----/----------/+
+/-----------\----- salper@olympos.org ---/-----------/+
Advisory Information
--------------------
Name : ZenTrack System Information Path Disclosure
Vulnerability
Software Package : zenTrack
Vendor Homepage : http://zentrack.phpzen.net/
Vulnerable Versions: v2.0.3, v2.0.2beta and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 01/06/2002
Vendor Replied : No Reply
Prior Problems : N/A
Current Version : v2.0.3 (vulnerable)
Summary
-------
ZenTrack is a complete project management, bug tracking,
and ticket/tech support/phone log system. Highly
configurable and adaptable. Supports most databases,
including mySql, Oracle, and Postgres. Works on Windows
and Unix systems.
A vulnerability exists in zenTrack, which could allow any
remote user to view the full path to the web root and
maybe some more sensitive information.
Details
-------
If any user submits a maliciously crafted HTTP request
to the site running zenTracker, this will enable the remote
user to reveal the absolute path to the web root and also
more information about the system might be revealed.
This issue may be exploited by requesting an invalid ticket
ID. The $id variable must contain a non-existing, but an
integer value.
Proof-of-concept link example:
http://[TARGET]/ticket.php?id=99999
This would return the web root at the top of the page like;
"Warning: extract() expects first argument to be an array in
/home/users/zen/sub/zentr/www/ticket.php on line 49"
Solution
--------
The vendor was unreachable or did not care to reply.
A new version was released on 03/06/2002, but the vendor
seems unaware of the issue.
Workaround;
Check if the "$id" ticket number exists.
Credits
-------
Discovered on 01, June, 2002 by
Ahmet Sabri ALPER <salper@olympos.org>
ALPER Research Labs.
The ALPER Research Labs. [ARL] workers are freelancer
security professionals and WhiteHat hackers. The ARL
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting
possible security issues in GPL or any other Public Licensed
product.
References
----------
Product Web Page: http://zentrack.phpzen.net/
Olympos: http://www.olympos.org/
