Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ARSC Really Simple Chat System Information Path Disclosure

ARSC Really Simple Chat System Information Path Disclosure

by Nikola Strahija on March 18th, 2002 Vendor Homepage : http://manuel.kiessling.net/projects/software/arsc/ Vulnerable Versions: v1.0.1 and v1.0 Platforms : PHP Dependent Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : 15/03/2002 Prior Problems : N/A Current Version : v1.0.1 (vulnerable)


Summary
-------
ARSC is a webchat system that uses PHP and
MySQL and allows web based chatting with almost
every browser type; using JavaScript, frames and
server push / socket server on modern browsers
down to a one-page reload-yourself lynx version.

A vulnerability exists in ARSC Really Simple Chat,
which could allow any remote user to view the full
path to the web root.


Details
-------
If any user submits a maliciously crafted HTTP
request to the site running ARSC Really Simple Chat,
this will enable a remote user to reveal the absolute
path to the web root and also more information about
the system might be revealed.

This issue may be exploited by requesting an invalid
language file in "home.php".

Example:
http://ARSC_site/home.php?arsc_language=elvish
where "elvish" is a non-existing language file.

This would return the web root path in an error
message;
"Warning: Failed
opening 'shared/language/elvish.inc.php'
for inclusion (include_path='.:/usr/local/lib/php') in
/var/ftproot/blahblah/site/home.php on line 6"


This information may be used to aid in
further "intelligent" attacks against the host running
the vulnerable ARSC Really Simple Chat system.


Solution
--------
The vendor confirmed the vulnerability in ARSC
Really Simple Chat, versions 1.0.1 and 1.0 . They
added that they will be releasing a new version soon,
which will be immune to this vulnerability and will be
named v1.0.1p1 .

For now you can use my suggested workaround:
Adding an IF-ELSE statement in "home.php" to check
if the requested language pack is installed or not.

$dosya="shared/language/".$arsc_language.".inc.php
";
if (! file_exists ($dosya)) {
die ("Language file missing.");
}

This will end the script if a non-existing language was
selected. Add this piece of code to the beginning
of "home.php" with no warranties.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »