W-Agora 4.1.5

2003-07-13T00:00:00
ID SECURITYVULNS:DOC:4822
Type securityvulns
Reporter Securityvulns
Modified 2003-07-13T00:00:00

Description

============================= Security REPORT W-Agora 4.1.5 =============================

Product: W-Agora 4.1.5 (maybe earlier) Vulnerablities: information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components" Vendor: W-Agora Services (http://www.w-agora.com/) Vendor-Status: contacted "info@w-agora.net" on Jul.6th 2003 Vendor-Patchs:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/checkout/w-agora/w-agora4/modules.php3?rev=1.2 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/checkout/w-agora/w-agora4/index.php3?rev=1.15 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/checkout/w-agora/w-agora4/insert.php3?rev=1.78 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/checkout/w-agora/w-agora4/update.php3?rev=1.63

Exploitable: Local: --- Remote: YES

============ Introduction ============

Visit "http://www.w-agora.com/en/index.php" for additional information.

===================== Vulnerability Details =====================

1) INFO DISCLOSURE

OBJECT: index.php

DESCRIPTION: By requesting "info" as QUERY-STRING the system gives out sensitive information about usernames, database-systems, paths and other version-infos.

EXAMPLE: ------ http-request http://servername/w-agorapath/index.php?info ------

2) PATH DISCLOSURE

OBJECT: modules.php

DESCRIPTION: Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure of system installation paths.

EXAMPLE: ------ http-request http://servername/w-agorapath/modules.php?mod=x&file=y ------

3) ARBITRARY FILE UPLOADS

OBJECT: insert.php

DESCRIPTION: If allowed uploaded files are saved in the directory: ------ /forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension] ------

If this directory is not protected (as recommanded by w-agora), it is possible to access these files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"!

4) ARBITRARY OS COMMAND EXECUTION

OBJECT: index.php

DESCRIPTION: The "action" paramater allows the insertion of files with a valid "script-extension". Combined with Pt.3) this leads to arbitrary OS command execution.

EXAMPLE: ------ http-request http://servername/w-agorapath/index.php? with params: bn=[validsitename]_[forumname] &action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension] ------

5) CROSS SITE SCRIPTING / COOKIE THEFT

OBJECT: profile.php

DESCRIPTION: By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading to cooke- and account(including admin) theft (cookies are used for authentication).

EXAMPLE:

changing the "avatar" - value to: ------ "http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)" ------ leads to execution of JS.

======= Remarks =======


==================== Recommended Hotfixes ====================

software patch(es).

EOF Martin Eiszner / @2003WebSec.org

======= Contact =======

WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna

Austria / EUROPE

mei@websec.org http://www.websec.org