ą-------\------- ALPER Research Labs   -----/--------/+
ą--------\------  Security Advisory    ----/---------/+
ą---------\-----    ID: ARL02-A07      ---/----------/+
ą----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : ARSC Really Simple Chat
                     System Information Path Disclosure Vulnerability
Software Package   : ARSC Really Simple Chat
Vendor Homepage    : http://manuel.kiessling.net/projects/software/arsc/
Vulnerable Versions: v1.0.1 and v1.0
Platforms          : PHP Dependent
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : waiting for 5 days reply period
Prior Problems     : N/A
Current Version    : v1.0.1 (vulnerable)


Summary
-------
ARSC is a webchat system that uses PHP and MySQL and
allows web based chatting with almost every browser type;
using JavaScript, frames and server push / socket server
on modern browsers down to a one-page reload-yourself lynx
version.

A vulnerability exists in ARSC Really Simple Chat, which
could allow any remote user to view the full path to the
web root.


Details
-------
If any user submits a maliciously crafted HTTP request
to the site running ARSC Really Simple Chat, this will
enable a remote user to reveal the absolute path to the
web root and also more information about the system might
be revealed.

This issue may be exploited by requesting an invalid
language file in "home.php".

Example:
http://ARSC_site/home.php?arsc_language=elvish
where "elvish" is a non-existing language file.

This would return the web root path in an error message;
"Warning: Failed opening 'shared/language/elvish.inc.php'
for inclusion (include_path='.:/usr/local/lib/php') in
/var/ftproot/blahblah/site/home.php on line 6"


This information may be used to aid in further "intelligent"
attacks against the host running the vulnerable ARSC Really
Simple Chat system.


Solution
--------
I suggest the following as a workaround:

Adding an IF-ELSE statement in "home.php" to check if the
requested language pack is installed or not.

$dosya="shared/language/".$arsc_language.".inc.php";
if (! file_exists ($dosya)) {
   die ("Language file missing.");
}

This will end the script if a non-existing language was selected.
Add this piece of code to the beginning of "home.php" with no
warranties.


Credits
-------
Discovered on 15, March, 2002 by Ahmet Sabri ALPER
salper@olympos.org
Ahmet Sabri ALPER
Olympos Turkish Security Portal:
http://www.olympos.org


References
----------
Product Web Page: http://manuel.kiessling.net/projects/software/arsc/

EOF