[14.07.03] W-Agora Multiple Vulnerabilities
=============================
Security REPORT W-Agora 4.1.5
=============================
Product: W-Agora 4.1.5 (maybe earlier)
Vulnerablities: information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting
Vuln.-Classes: Check out www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor: W-Agora Services (http://www.w-agora.com/)
Vendor-Status: contacted "info@w-agora.net" on Jul.6th 2003
Vendor-Patchs:
cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/modules.php3
cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/index.php3
cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/insert.php3
cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/update.php3
Exploitable:
Local: ---
Remote: YES
============
Introduction
============
Visit "http://www.w-agora.com/en/index.php" for additional information.
=====================
Vulnerability Details
=====================
1) INFO DISCLOSURE
==================
OBJECT:
index.php
DESCRIPTION:
By requesting "info" as QUERY-STRING the system gives out sensitive information
about usernames, database-systems, paths and other version-infos.
EXAMPLE:
---*---
http-request
servername/w-agorapath/index.php
---*---
2) PATH DISCLOSURE
==================
OBJECT:
modules.php
DESCRIPTION:
Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure
of system installation paths.
EXAMPLE:
---*---
http-request
servername/w-agorapath/modules.php
---*---
3) ARBITRARY FILE UPLOADS
=========================
OBJECT:
insert.php
DESCRIPTION:
If allowed uploaded files are saved in the directory:
---*---
/forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension]
---*---
If this directory is not protected (as recommanded by w-agora), it is possible to access these
files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"!
4) ARBITRARY OS COMMAND EXECUTION
=================================
OBJECT:
index.php
DESCRIPTION:
The "action" paramater allows the insertion of files with a valid "script-extension".
Combined with Pt.3) this leads to arbitrary OS command execution.
EXAMPLE:
---*---
http-request
servername/w-agorapath/index.php?
with params:
bn=[validsitename]_[forumname]
&action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension]
---*---
5) CROSS SITE SCRIPTING / COOKIE THEFT
======================================
OBJECT:
profile.php
DESCRIPTION:
By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading
to cooke- and account(including admin) theft (cookies are used for authentication).
EXAMPLE:
changing the "avatar" - value to:
---*---
"http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)"
---*---
leads to execution of JS.
=======
Remarks
=======
---
====================
Recommended Hotfixes
====================
software patch(es).
EOF Martin Eiszner / @2003WebSec.org
=======
Contact
=======
SEC Consult Unternehmensberatung GmbH / Martin Eiszner
Blindengasse 3
1080 Vienna
Austria / EUROPE
m dot eiszner at sec-consult dot com