Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[ARL02-A05] PHP FirstPost System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 12 Mar 2002 14:24:49 -0000


+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A05      ---/----------/+
+/-----------\---- salper () olympos org    --/-----------/+


Advisory Information
--------------------
Name               : PHP FirstPost System Information 
                           Path Disclosure Vulnerability
Software Package   : PHP First Post
Vendor Homepage   : 
http://sourceforge.net/projects/phpfirstpost/
Vulnerable Versions: v0.1
Platforms                 : PHP Dependent
Vulnerability Type     : Input Validation Error
Vendor Contacted     : 11/03/2002
Vendor Replied          :12/03/2002
Prior Problems     : N/A
Current Version    : v0.1 (vulnerable)


Summary
-------
PHP FirstPost is yet another PHP weblog. This one, 
however, is based on Scoop, and has the open 
submission 
queue and comment rating system. 

A vulnerability exists in PHP FirstPost, which could 
allow any remote user to view the full path to the web 
root.


Details
-------
If a remote user submits a maliciously crafted HTTP 
request 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed.
This issue may be exploited by requesting an invalid 
post number, independent of the article number.

Example:
http://PHPFirstPost_site/article.php?
article=4965&post=NO_SUCH_NUMBER
Where NO_SUCH_NUMBER is a non-existing post 
reply number.

This would return the article (if it exists) and below it 
the web root path in an error message;
"Warning: Unable to jump to row 0 on MySQL result 
index 11 
in /home/httpd/examplesite/html/article.php on line 
737"


Solution
--------
The vendor verified the vulnerability in PHP FirstPost. 
And added 
that the project was "on hold" for a while but they said 
that they are 
planning to release a new version with new features 
and the fix for the 
issue in the not-too-distant future.

I suggest the following as a workaround:

Put an IF ELSE statement in the article.php, like;
if ($requested_post_number == "") {
die ("Post number not found!");
}
else {
// the original script functions
}

Credits
-------
Discovered on 11, March, 2002 by Ahmet Sabri 
ALPER 
salper () olympos org
Ahmet Sabri ALPER
Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://sourceforge.net/projects/phpfirstpost/
Previous By Date Next
Previous By Thread Next

Current thread: