netVigilance Security Advisory 41

Fa Name version 1.0 Path Disclosure Vulnerability

Description:
Fa Name is useful portal (CMS) for .name websites. You can have a simple portal but useful one for you domain names and by using this portal you can show your complete information like photo, identification, projects and history to the others.

Successful exploitation requires PHP magic_quotes_gpc set to Off in php.ini file on the server. (Default for magic_quotes_gpc is On)

External References:
Mitre CVE: CVE-2007-3651
NVD NIST: CVE-2007-3651


Summary:
Fa Name is useful portal (CMS) for .name websites.

Security problems in the product allow attackers to gather the true path of the server-side script.

Release Date:
June 30 2008

Severity:

Access Vector: Network
Access Complexity: Medium
Authentication: None

Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated

Base Vector: "AV:N/AC:M/Au:N/C:P/I:N/A:N"
Temporal Vector: "E:F/RL:W/RC:UR"

CVSS Base Score: 4.3
CVSS Impact Subscore: 2.9
CVSS Exploitability Subscore: 8.6
CVSS Temporal Score: 3.7


SecureScout Testcase ID:
TC 17971

Vulnerable Systems:
Fa Name version 1.0

Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors.

Vendor:
FaScript

Vendor Status:
The Vendor has been notified.

Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = Off or/and in the php.ini file set magic_quotes_gpc = On.

Example:

Path Disclosure Vulnerability

REQUEST:
http://[TARGET]/[FANAME-DIRECTORY]/class/page.php?id=';
REPLY:
...Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in [SERVER PATH][FANAME-DIRECTORY]\class\page.php on line 6
...