Agora

=============================
Security REPORT W-Agora 4.1.5
=============================

Product: W-Agora 4.1.5 (maybe earlier)
Vulnerablities: information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting
Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor: W-Agora Services (http://www.w-agora.com/)
Vendor-Status: contacted "info@w-agora.net" on Jul.6th 2003
Vendor-Patchs:
http://cvs.sourceforge.net/cgi-bin/v...s.php3?rev=1.2
http://cvs.sourceforge.net/cgi-bin/v....php3?rev=1.15
http://cvs.sourceforge.net/cgi-bin/v....php3?rev=1.78
http://cvs.sourceforge.net/cgi-bin/v....php3?rev=1.63

Exploitable:
Local: ---
Remote: YES

============
Introduction
============

Visit "http://www.w-agora.com/en/index.php" for additional information.

=====================
Vulnerability Details
=====================

1) INFO DISCLOSURE
==================

OBJECT:
index.php

DESCRIPTION:
By requesting "info" as QUERY-STRING the system gives out sensitive information
about usernames, database-systems, paths and other version-infos.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/index.php?info
---*---


2) PATH DISCLOSURE
==================

OBJECT:
modules.php

DESCRIPTION:
Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure
of system installation paths.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/modules.php?mod=x&file=y
---*---


3) ARBITRARY FILE UPLOADS
=========================

OBJECT:
insert.php

DESCRIPTION:
If allowed uploaded files are saved in the directory:
---*---
/forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension]
---*---

If this directory is not protected (as recommanded by w-agora), it is possible to access these
files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"!


4) ARBITRARY OS COMMAND EXECUTION
=================================

OBJECT:
index.php

DESCRIPTION:
The "action" paramater allows the insertion of files with a valid "script-extension".
Combined with Pt.3) this leads to arbitrary OS command execution.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/index.php?
with params:
bn=[validsitename]_[forumname]
&action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension]
---*---


5) CROSS SITE SCRIPTING / COOKIE THEFT
======================================

OBJECT:
profile.php

DESCRIPTION:
By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading
to cooke- and account(including admin) theft (cookies are used for authentication).

EXAMPLE:

changing the "avatar" - value to:
---*---
"http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)"
---*---
leads to execution of JS.


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

software patch(es).


EOF Martin Eiszner / @2003WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei@websec.org
http://www.websec.org

 

 

 

 

Top