+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------ Security Advisory ----/---------/+
+/----------\----- ID: ARL02-A07 ---/----------/+
+/-----------\---- salper@olympos.org --/-----------/+
Advisory Information
--------------------
Name : ARSC Really Simple Chat
System Information Path Disclosure
Vulnerability
Software Package : ARSC Really Simple Chat
Vendor Homepage :
http://manuel.kiessling.net/projects/software/arsc/
Vulnerable Versions: v1.0.1 and v1.0
Platforms : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted : 15/03/2002
Vendor Replied : 15/03/2002
Prior Problems : N/A
Current Version : v1.0.1 (vulnerable)
Summary
-------
ARSC is a webchat system that uses PHP and
MySQL and allows web based chatting with almost
every browser type; using JavaScript, frames and
server push / socket server on modern browsers
down to a one-page reload-yourself lynx version.
A vulnerability exists in ARSC Really Simple Chat,
which could allow any remote user to view the full
path to the web root.
Details
-------
If any user submits a maliciously crafted HTTP
request to the site running ARSC Really Simple Chat,
this will enable a remote user to reveal the absolute
path to the web root and also more information about
the system might be revealed.
This issue may be exploited by requesting an invalid
language file in "home.php".
Example:
http://ARSC_site/home.php?arsc_language=elvish
where "elvish" is a non-existing language file.
This would return the web root path in an error
message;
"Warning: Failed
opening 'shared/language/elvish.inc.php'
for inclusion (include_path='.:/usr/local/lib/php') in
/var/ftproot/blahblah/site/home.php on line 6"
This information may be used to aid in
further "intelligent" attacks against the host running
the vulnerable ARSC Really Simple Chat system.
Solution
--------
The vendor confirmed the vulnerability in ARSC
Really Simple Chat, versions 1.0.1 and 1.0 . They
added that they will be releasing a new version soon,
which will be immune to this vulnerability and will be
named v1.0.1p1 .
For now you can use my suggested workaround:
Adding an IF-ELSE statement in "home.php" to check
if the requested language pack is installed or not.
$dosya="shared/language/".$arsc_language.".inc.php
";
if (! file_exists ($dosya)) {
die ("Language file missing.");
}
This will end the script if a non-existing language was
selected. Add this piece of code to the beginning
of "home.php" with no warranties.
Credits
-------
Discovered on 15, March, 2002 by
Ahmet Sabri ALPER
salper@olympos.org
Olympos Turkish Security Portal:
http://www.olympos.org
References
----------
Product Web Page:
http://manuel.kiessling.net/projects/software/arsc/
