Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[ARL02-A14] ZenTrack System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 10 Jun 2002 11:47:53 -0000


+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A14    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+


Advisory Information
--------------------
Name               : ZenTrack System Information Path Disclosure 
Vulnerability
Software Package   : zenTrack
Vendor Homepage    : http://zentrack.phpzen.net/
Vulnerable Versions: v2.0.3, v2.0.2beta and older
Platforms          : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted   : 01/06/2002
Vendor Replied     : No Reply
Prior Problems     : N/A
Current Version    : v2.0.3 (vulnerable)


Summary
-------
ZenTrack is a complete project management, bug tracking, 
and ticket/tech support/phone log system. Highly 
configurable and adaptable. Supports most databases, 
including mySql, Oracle, and Postgres. Works on Windows 
and Unix systems.

A vulnerability exists in zenTrack, which could allow any 
remote user to view the full path to the web root and 
maybe some more sensitive information.


Details
-------
If any user submits a maliciously crafted HTTP request
to the site running zenTracker, this will enable the remote 
user to reveal the absolute path to the web root and also 
more information about the system might be revealed.

This issue may be exploited by requesting an invalid ticket 
ID. The $id variable must contain a non-existing, but an 
integer value.

Proof-of-concept link example:
http://[TARGET]/ticket.php?id=99999
This would return the web root at the top of the page like;
"Warning: extract() expects first argument to be an array in 
/home/users/zen/sub/zentr/www/ticket.php on line 49"


Solution
--------
The vendor was unreachable or did not care to reply.
A new version was released on 03/06/2002, but the vendor 
seems unaware of the issue.

Workaround;
Check if the "$id" ticket number exists.


Credits
-------
Discovered on 01, June, 2002 by 
Ahmet Sabri ALPER <salper () olympos org>
ALPER Research Labs.

The ALPER Research Labs. [ARL] workers are freelancer 
security professionals and WhiteHat hackers. The ARL 
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting 
possible security issues in GPL or any other Public Licensed 
product.


References
----------
Product Web Page: http://zentrack.phpzen.net/
Olympos: http://www.olympos.org/
Previous By Date Next
Previous By Thread Next

Current thread: