W-Agora Multiple Vulnerabilities

[14.07.03] W-Agora Multiple Vulnerabilities

 

=============================

Security REPORT W-Agora 4.1.5

=============================

 

Product: W-Agora 4.1.5 (maybe earlier)

Vulnerablities: information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting

Vuln.-Classes: Check out www.owasp.org/asac/ for more detailed information on "Attack Components"

Vendor: W-Agora Services (http://www.w-agora.com/)

Vendor-Status: contacted "info@w-agora.net" on Jul.6th 2003

Vendor-Patchs:

cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/modules.php3

cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/index.php3

cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/insert.php3

cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/update.php3

 

Exploitable:

Local: ---

Remote: YES

 

============

Introduction

============

 

Visit "http://www.w-agora.com/en/index.php" for additional information.

 

=====================

Vulnerability Details

=====================

 

1) INFO DISCLOSURE

==================

 

OBJECT:

index.php

 

DESCRIPTION:

By requesting "info" as QUERY-STRING the system gives out sensitive information

about usernames, database-systems, paths and other version-infos.

 

EXAMPLE:

---*---

http-request

servername/w-agorapath/index.php

---*---

 

 

2) PATH DISCLOSURE

==================

 

OBJECT:

modules.php

 

DESCRIPTION:

Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure

of system installation paths.

 

EXAMPLE:

---*---

http-request

servername/w-agorapath/modules.php

---*---

 

 

3) ARBITRARY FILE UPLOADS

=========================

 

OBJECT:

insert.php

 

DESCRIPTION:

If allowed uploaded files are saved in the directory:

---*---

/forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension]

---*---

 

If this directory is not protected (as recommanded by w-agora), it is possible to access these

files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"!

 

 

4) ARBITRARY OS COMMAND EXECUTION

=================================

 

OBJECT:

index.php

 

DESCRIPTION:

The "action" paramater allows the insertion of files with a valid "script-extension".

Combined with Pt.3) this leads to arbitrary OS command execution.

 

EXAMPLE:

---*---

http-request

servername/w-agorapath/index.php?

with params:

bn=[validsitename]_[forumname]

&action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension]

---*---

 

 

5) CROSS SITE SCRIPTING / COOKIE THEFT

======================================

 

OBJECT:

profile.php

 

DESCRIPTION:

By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading

to cooke- and account(including admin) theft (cookies are used for authentication).

 

EXAMPLE:

 

changing the "avatar" - value to:

---*---

"http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)"

---*---

leads to execution of JS.

 

 

=======

Remarks

=======

 

---

 

====================

Recommended Hotfixes

====================

 

software patch(es).

 

 

EOF Martin Eiszner / @2003WebSec.org

 

 

=======

Contact

=======

 

SEC Consult Unternehmensberatung GmbH / Martin Eiszner

Blindengasse 3

1080 Vienna

 

Austria / EUROPE

 

m dot eiszner at sec-consult dot com

www.sec-consult.com