TUCoPS :: Web BBS :: etc :: wagora.txt

W-Agora 4.1.5 Remote Exploit 


=============================
Security REPORT W-Agora 4.1.5
=============================

Product:	W-Agora 4.1.5 (maybe earlier)
Vulnerablities:	information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting
Vuln.-Classes:	Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor:		W-Agora Services (http://www.w-agora.com/)
Vendor-Status:	contacted "info@w-agora.net" on Jul.6th 2003 
Vendor-Patchs:	
		http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/modules.php3?rev=1.2
		http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/index.php3?rev=1.15
		http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/insert.php3?rev=1.78
		http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/update.php3?rev=1.63

Exploitable:
Local:		---
Remote:		YES

============
Introduction
============

Visit "http://www.w-agora.com/en/index.php" for additional information.

=====================
Vulnerability Details
=====================

1) INFO DISCLOSURE 
==================

OBJECT:
index.php 

DESCRIPTION:
By requesting "info" as QUERY-STRING the system gives out sensitive information 
about usernames, database-systems, paths and other version-infos.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/index.php?info
---*---


2) PATH DISCLOSURE
==================

OBJECT:
modules.php

DESCRIPTION:
Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure
of system installation paths.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/modules.php?mod=x&file=y
---*---


3) ARBITRARY FILE UPLOADS
=========================

OBJECT:
insert.php

DESCRIPTION:
If allowed uploaded files are saved in the directory: 
---*---
/forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension]
---*---

If this directory is not protected (as recommanded by w-agora), it is possible to access these 
files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"!


4) ARBITRARY OS COMMAND EXECUTION
=================================

OBJECT:
index.php

DESCRIPTION:
The "action" paramater allows the insertion of files with a valid "script-extension".
Combined with Pt.3) this leads to arbitrary OS command execution.

EXAMPLE:
---*---
http-request
http://servername/w-agorapath/index.php?
with params:
bn=[validsitename]_[forumname]
&action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension]
---*---


5) CROSS SITE SCRIPTING / COOKIE THEFT
======================================

OBJECT:
profile.php

DESCRIPTION:
By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading 
to cooke- and account(including admin) theft (cookies are used for authentication).

EXAMPLE:

changing the "avatar" - value to:
---*---
"http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)"
---*---
leads to execution of JS. 


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

software patch(es).


EOF Martin Eiszner / @2003WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei@websec.org
http://www.websec.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH