[NEWS] PHP FirstPost System Information Path Disclosure Vulnerability

From: support@securiteam.com
Date: 03/16/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 16 Mar 2002 11:57:05 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PHP FirstPost System Information Path Disclosure Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/phpfirstpost/> PHP FirstPost is yet
another PHP weblog. This one, however, is based on Scoop, and has the open
submission queue and comment rating system.
A vulnerability exists in PHP FirstPost, which could allow any remote user
to view the full path to the web root.

DETAILS

Vulnerable systems:
PHP First Post v0.1

When a remote user submits a maliciously crafted HTTP request, this will
reveal the absolute path to the web root and also more information about
the system.
This issue may be exploited by requesting an invalid post number,
independent of the article number.

Example:
http://PHPFirstPost_site/article.php?article=4965&post=NO_SUCH_NUMBER
Where NO_SUCH_NUMBER is a non-existing post reply number.

This would return the article (if it exists) and below it the web root
path in an error message:
"Warning: Unable to jump to row 0 on MySQL result index 11 in
/home/httpd/examplesite/html/article.php on line 737"

Vendor response:
The vendor verified the vulnerability in PHP FirstPost, and added that the
project was "on hold" for a while but they are planning to release a new
version with new features and the fix for the issue in the not-too-distant
future.

Workaround:

Put an IF ELSE statement in the article.php, like:
if ($requested_post_number == "") {
die ("Post number not found!");
}
else {
// the original script functions
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:s_alper@hotmail.com> Ahmet
Sabri ALPER.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.