Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[ARL02-A06] Black Tie Project System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 12 Mar 2002 17:26:52 -0000


+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A06      ---/----------/+
+/-----------\---- salper () olympos org    --/-----------/+


Advisory Information
--------------------
Name               : Black Tie Project System       
Information  Path Disclosure Vulnerability
Software Package   : Black Tie Project (BTP)
Vendor Homepage    : http://btp.logiciel-fr.com/
Vulnerable Versions: v0.5b, v0.5, v04.b
Platforms               : PHP Dependent
Vulnerability Type  : Input Validation Error
Vendor Contacted : 11/03/2002
Vendor Replied     : 12/03/2002
Prior Problems     : N/A
Current Version    : v0.5b (vulnerable)


Summary
-------
BTP (the Black Tie Project) is a very modular portal 
system with independent modules. It allows you to 
add and remove a module, and create and customize 
your own modules at any time. 
BTP is written in French and is coded in PHP. 
It includes modules with wap, articles, comment, 
mail, news, and more.

A vulnerability exists in BTP, which could allow any 
remote user to view the full path to the web root.


Details
-------
If any user submits a maliciously crafted HTTP 
request to the site running BTP, this will enable a 
remote user to reveal the absolute path to the web 
root and also more information about the system 
might be revealed. 

This issue may be exploited by requesting an invalid 
category ID (cid) in "categorie.php3".

Example:
http://BTP_site/categorie.php3?cid=blahblah
Where "blahblah" is a non-existing category number.

This would return the the web root path in an error 
message;
"Warning: Unable to jump to row 0 on MySQL result 
index 2 
in /home/software/a/htdocs/site/examplesite.com/cate
gorie.php3 on line 11"

This information may be used to aid in further
 "intelligent" attacks against the host running the 
vulnerable BTP system.


Solution
--------
The vendor confirmed the vulnerability in the Black 
Tie Project. 
And stated that they will be releasing a new version 
with better modules and increased security in a few 
months.

I suggest the following as a workaround:

Put an IF ELSE statement in the categorie.php3, like;
if ($requested_cat_number == "") {
die ("Categorie number not found!");
}
else {
// the original script functions
}


Credits
-------
Discovered on 11, March, 2002 by 
Ahmet Sabri ALPER 
salper () olympos org

Olympos Turkish Security Portal: 
http://www.olympos.org


References
----------
Product Web Page: 
http://sourceforge.net/projects/phpfirstpost/
Previous By Date Next
Previous By Thread Next

Current thread: