[NEWS] ZenTrack System Information Path Disclosure Vulnerability

From: support@securiteam.com
Date: 06/11/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 11 Jun 2002 08:17:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ZenTrack System Information Path Disclosure Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/zentrack/> ZenTrack is a complete
project management, bug tracking, and ticket/tech support/phone log
system. Highly configurable and adaptable, simple design. Supports most
databases, including MySQL, Oracle, and PostgreSQL. Works on Windows and
UNIX. A vulnerability exists in ZenTrack, which allows remote users to
view the full path to the web root.

DETAILS

Vulnerable systems:
 * ZenTrack version 2.0.3, 2.0.2beta and older

By submitting a maliciously crafted HTTP request an authenticated ZenTrack
user can reveal the absolute path to the web root.

This issue can be exploited by requesting an invalid ticket ID. The $id
variable must contain a non-existing, integer value.

Proof-of-concept link example:
http://[TARGET]/ticket.php?id=99999

This would return the web root at the top of the page like; "Warning:
extract() expects first argument to be an array in
/home/users/zen/sub/zentr/www/ticket.php on line 49"

Workaround:
Check if the "$id" ticket number exists.

Vendor status:
The vendor was unresponsive.

ADDITIONAL INFORMATION

The information has been provided by <mailto:salper@olympos.org> Ahmet
Sabri ALPER.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.