ID OSVDB:17876 Type osvdb Reporter priestmaster(priest@priestmaster.org) Modified 2005-07-13T06:31:23
Description
Vulnerability Description
PHPCounter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a direct request to the prelims.php script without parameters, which will disclose the installation path resulting in a loss of confidentiality.
Solution Description
Upgrade to version 7.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
PHPCounter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a direct request to the prelims.php script without parameters, which will disclose the installation path resulting in a loss of confidentiality.
{"type": "osvdb", "published": "2005-07-13T06:31:23", "href": "https://vulners.com/osvdb/OSVDB:17876", "hashmap": [{"key": "affectedSoftware", "hash": "623a77c1425f34c85211d66999f44f42"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "e35fcbb866a5971def168832630c9309"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "373ec6bfe608edede12f11e8e5529a1f"}, {"key": "href", "hash": "d0a3c15a4691e226346dbbf8d9d1e88d"}, {"key": "modified", "hash": "0f20146d72c90933a8cd73a53fd928cb"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "0f20146d72c90933a8cd73a53fd928cb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "820badca03d9766a9b6c9d3876d8b2dd"}, {"key": "title", "hash": "3a50bddcc378cdf55cf1f3467b15c63c"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 5.0}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "priestmaster(priest@priestmaster.org)", "title": "PHPCounter prelims.php Path Disclosure", "affectedSoftware": [{"operator": "eq", "version": "7.2", "name": "PHPCounter"}], "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2289"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:12437"]}], "modified": "2017-04-28T13:20:14"}, "vulnersScore": 5.0}, "references": [], "id": "OSVDB:17876", "hash": "5eccd3a0d44a401cf7750b1b0cc7c49765300cea32fc7820512796ffc4e2784c", "lastseen": "2017-04-28T13:20:14", "cvelist": ["CVE-2005-2289"], "modified": "2005-07-13T06:31:23", "description": "## Vulnerability Description\nPHPCounter contains a flaw that may lead to an unauthorized information disclosure. \u00a0The issue is triggered when a remote attacker makes a direct request to the prelims.php script without parameters, which will disclose the installation path resulting in a loss of confidentiality.\n## Solution Description\nUpgrade to version 7.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPCounter contains a flaw that may lead to an unauthorized information disclosure. \u00a0The issue is triggered when a remote attacker makes a direct request to the prelims.php script without parameters, which will disclose the installation path resulting in a loss of confidentiality.\n## Manual Testing Notes\nhttp://[victim]/CounterPath/prelims.php\n## References:\nVendor URL: http://www.ekstreme.com/phplabs/phpcounter.php\nSecurity Tracker: 1014478\n[Secunia Advisory ID:15816](https://secuniaresearch.flexerasoftware.com/advisories/15816/)\n[Related OSVDB ID: 17875](https://vulners.com/osvdb/OSVDB:17875)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0218.html\n[CVE-2005-2289](https://vulners.com/cve/CVE-2005-2289)\n"}
{"cve": [{"lastseen": "2017-04-18T15:51:20", "bulletinFamily": "NVD", "description": "PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message.", "modified": "2016-10-17T23:26:01", "published": "2005-07-18T00:00:00", "id": "CVE-2005-2289", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2289", "title": "CVE-2005-2289", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:17", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: RIPEMD160\r\n\r\nMicrosoft Internet Explorer User Interface Race Condition\r\n\r\nI. SYNOPSIS\r\n\r\nAffected Systems:\r\n * Windows 98\r\n * Windows 98 Second Edition\r\n * Windows Millennium Edition\r\n * Windows 2000\r\n * Windows XP\r\n * Windows Server 2003\r\n\r\nRisk: Medium\r\nImpact: Remote code execution (some interaction required)\r\nStatus: Uncoordinated release\r\nDate Reported: October 20, 2005\r\nDate Released: April 26, 2006\r\nURL:\r\nhttp://student.missouristate.edu/m/matthew007/advisories.asp?adv=2006-02\r\n(delayed)\r\nAuthor: Matthew Murphy (mattmurphy@kc.rr.com)\r\n\r\nII. EXECUTIVE SUMMARY\r\n\r\nVULNERABILITY OVERVIEW\r\n\r\nMicrosoft Internet Explorer suffers from a potential user interaction\r\nrace in its handling of security dialogs. As a result, it may be\r\npossible for a malicious web site to install software on a visiting\r\nsystem or take other actions that may compromise the privacy or the\r\nsecurity of the visitor.\r\n\r\nIMPACT\r\n\r\nA malicious web site, with a minimum of social engineering, may be\r\nable to compromise user systems.\r\n\r\nIII. TECHNICAL DESCRIPTION\r\n\r\nMicrosoft Internet Explorer has an extremely sophisticated security\r\nmodel based on content "zones", which controls the behavior of web\r\nsites and how potentially unsafe content on them is handled. The\r\nbrowser reacts differently to potential security risks depending upon\r\nwhat "zone" the content originates in.\r\n\r\nThe zone-based security model has had some serious security breaches,\r\nmany of which can be attributed to the previous use of the "Local\r\nMachine Zone" to provide application-level functionality to web\r\ncontent.\r\n\r\nMost security settings in Internet Explorer allow one of three\r\nsettings for each zone:\r\n\r\n Enable\r\n Disable\r\n Prompt\r\n\r\nStarting with Windows XP Service Pack 2 and Windows Server 2003\r\nService Pack 1, some prompting is now done via the "Information Bar"\r\nfeature. Prior to these releases, most prompting is done via\r\nmodal dialogs.\r\n\r\nThose dialogs that remain are vulnerable to an exploitable timing\r\ncondition that may result in unintended "Yes", "Allow" or "Install"\r\nanswer to a security prompt. This situation is particularly serious\r\non Windows Server 2003 RTM, Windows XP Service Pack 1, Windows 2000,\r\nand other older OSes, because prompting to allow ActiveX installation\r\nis still done via a modal dialog on those systems. On these systems,\r\nsuccessful exploitation of this condition allows software installation\r\nas the logged on user.\r\n\r\nOn newer systems, the impact of this vulnerability is more limited,\r\nbut remains serious. Many prompts continue to be delivered via modal\r\ndialogs. The most significant concern is that the default setting is\r\n"Enable" in most of these cases, meaning that users could potentially\r\nsee their privacy compromised even if defaults had been significantly\r\ntightened.\r\n\r\nA malicious user could create content that would request the user to\r\nclick an object or press a sequence of keys. By delivering a security\r\nprompt during this process, the site could subvert the prompting and\r\nobtain permission for actions that were not necessarily authorized.\r\n\r\nIV. SUGGESTED ACTIONS\r\n\r\nWORKAROUNDS\r\n\r\n* Set security settings to "Enable" or "Disable" rather than "Prompt"\r\n\r\nThe vulnerability at issue depends fundamentally on a weakness in the\r\nbrowser's method of prompting when warning users of potentially unsafe\r\nactive content on a web page. By preemptively disabling certain\r\nfunctionality that would otherwise generate warnings, the exploitation\r\nof this vulnerability can be prevented or mitigated.\r\n\r\nThis functionality can be accessed from the "Tools" menu's "Internet\r\nOptions" button. The "Security" tab of the dialog controls all of\r\nthese settings. Such security configuration can also be enforced via\r\nGroup Policy.\r\n\r\nIMPACT OF WORKAROUND: Disabling functionality where prompts would\r\notherwise have occurred may limit the functionality of certain web\r\npages that depend on potentially-dangerous active content such as\r\nActiveX controls.\r\n\r\nMITIGATION RECOMMENDATIONS\r\n\r\n* Limit viewing to trusted web sites\r\n\r\nIn some situations, browsing can be successfully limited to only\r\ntrustworthy sites without significant loss of productivity. Users\r\nshould be extremely cautious while browsing unknown or untrusted web\r\nsites, as such web sites are often able to introduce hostile code.\r\n\r\n* Run exposed applications with reduced privileges\r\n\r\nUsers who log on interactively without the privileges of powerful\r\ngroups such as the "Administrators" or "Power Users" groups are at a\r\nmuch lower risk of damage from successful exploitation of software\r\nvulnerabilities in client applications. This mitigation step greatly\r\nreduces the likelihood of a successful malware installation if this\r\nvulnerability is exploited.\r\n\r\nV. VENDOR RESPONSE\r\n\r\n* Microsoft was informed of this vulnerability on October 20, 2005.\r\n\r\n* As part of its December patch cycle, Microsoft issued the incomplete\r\nMS05-054 patch which plugged a specific instance of this issue that had\r\nbeen previously reported by Secunia.\r\n\r\n* MS05-054 does indeed provide minimal protection against subversion\r\nof the download prompting feature, but makes no attempt to secure other\r\npotential risk points.\r\n\r\n* Contact with some members of the MSRC continued from the October\r\nreport beyond this point, but contact from the assigned investigator\r\ndid not take place until February 15, 2006.\r\n\r\n* At that point in time, I was told that the vulnerability had been\r\nclassed as a "Service Pack" fix, meaning that users of Windows 2000 will\r\nnot receive a fix for this vulnerability.\r\n\r\n* Further, the MSRC disputed my assessment that the vulnerability was\r\nat all similar to CVE-2005-2289 (the File Download vulnerability patched\r\nby MS05-054).\r\n\r\n* Shortly after that decision, I informed MSRC that its assessment was\r\nincorrect and also that I had tentatively planned to disclose on April\r\n24.\r\n\r\n* MSRC could not provide me with a compelling justification for its\r\nchoice of release timeframe. In a rather threatening e-mail, I was\r\nfinally asked for exploit code, as well as justification of "why this\r\nissue is so important".\r\n\r\n* After about an hour of work to actually write it, I provided the code\r\nto MSRC two days later on March 24.\r\n\r\n* There is no further contact from MSRC following this point.\r\n\r\nMSRC, for its troubles, got a two day reprieve because I was not yet\r\nprepared to disclose. So, I've (coincidentally) disclosed this issue in\r\nkeeping with Michal Zalewski's informal "Bug Wednesday and Patch\r\nSaturday" policy. My experience with MSRC shows that Zalewski's strong\r\nobjections to the generally-adversarial nature of the MSRC process and\r\nits lack of constructive results (particularly when Internet Explorer\r\nis involved) are well-founded. Simply put, don't shoot the messenger\r\nwhen your vendor and its patch processes are the problem most in need\r\nof a solution.\r\n\r\nVI. REFERENCES\r\n\r\nSecurityTracker Alert ID#1015720\r\nhttp://securitytracker.com/id?1015720\r\n\r\nOSVDB ID#22351\r\nhttp://www.osvdb.org/displayvuln.php?osvdb_id=22351\r\n\r\nNOTE: If other VDBs could indicate what identifiers they have assigned\r\nto this issue, that would be appreciated. I will use such IDs for\r\nreference points in the online version of this advisory to appear soon\r\nafter the release of this version.\r\n\r\nVII. CREDIT\r\n\r\nJesse Ruderman reported similar attacks against Mozilla Firefox, and\r\nprovided the first research (that I am aware of) into user interface\r\nbugs and security ramifications of them:\r\n\r\nhttp://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/\r\n\r\nVIII. CONTACT\r\n\r\nYou may contact the author of this advisory via e-mail at\r\nmattmurphy@kc.rr.com.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2 (MingW32)\r\nComment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38\r\n\r\niD8DBQFET++Pfp4vUrVETTgRA8UHAJ48EwHO0QojXk9SF/O9byAW978uXACgopfx\r\nHrdJmlblNk9Z1GglitxtvYg=\r\n=pzQx\r\n-----END PGP SIGNATURE-----", "modified": "2006-04-27T00:00:00", "published": "2006-04-27T00:00:00", "id": "SECURITYVULNS:DOC:12437", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12437", "title": "[Full-disclosure] Internet Explorer User Interface Races, Redeux", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
