XSS and PHP include bug in W-Agora

From: xatr0z (xatr0zat_private)
Date: Thu Dec 19 2002 - 08:34:42 PST

Next message: securityat_private: "Security Update: [CSSA-2002-059.0] Linux: multiple vulnerabilities in BIND (CERT CA-2002-31)"

Previous message: Ulf Harnhammar: "[Full-Disclosure] PHP-Nuke mail CRLF Injection vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have found some bugs in W-Agora's forum configuration filesystem. In the
page editform.php, an admin or root user can open any file, with the "PHP
Include bug". A sample of the script:

***editform.php***
<?php
# the script gets the parameter "file", puts ".php" after this, and includes
the file in the directory "forums/agora/"
include ( "forums/agora"  .$_GET [ "file" ] . ".php" );
?>
***editform.php***

With the following link, an "admin" or "root" user could open the file
"conf/agora/site_agora.php":
<URL:/editform.php?site=agora&file=../../conf/site_agora> (put the
directory of your W-Agora forum for this file)

Ofcourse, this also works on other files.

The next bug I found was an XSS bug in the "Administration login" page.
Here, any user could simply insert code. When a user visits the following
URI:
<URL:/editform.php?site=agora&blah=">Bug!>

An HTML <INPUT> tag is created, and it would look like this:
<input type="hidden" NAME="blah" VALUE="\">Bug!" />

These are the bugs I found. Maybe that there are more XSS or include bugs in
W-Agora, but I am tired at the moment, but maybe someone will find more.


--

N: D. Willems "xatr0z"
E: <xatr0z at users dot sourceforge dot net>
W: http://rootshell.be/~xatr0z


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (MingW32)

mQGiBD34tNcRBAD/Nhg00QameKtcq1Ut3/7/mrwcRAmnqH4cDDgIOO0Aw3XTsmM+
19074p7u+019tP84uk6itb4Tf7P3DQb8uwQJ2Q8wkoNbPBm3i03svw3jjwnBuRAI
+YogC/yHDpfbMF9SWqyh7K4en7IxYBu79vH55kdc8Ud+8CEjwTZI6aGWawCgsdJi
+1QlbLKDcgUI2ZGunpLuv3kEAMzNlFM4O1P5hagWiPyLI5rcozZnrTbXqu6EyOFT
9HyOqhsdJBkcd4gWNmYk1boJqYV/thfHYfnGFQ5eWpog4pLyxZl4WanO28KHT6MX
dkXOm4RsVRu3PNrZGrbL99+lNSsQpfrksbep/xYwR41rYBy9VptaJ29KD5WIh9X0
sR9rA/9ns6mWXrnIim0tMw5F5zYwAE0vgheeiXa9mUmNkEBuCkyqAZT/8k/n1VU9
czT/UhS5bSaDr0NGlnWXyZKTgXAdPjsjZ9lDK7A3BON2qMrDMcTQdA8EFVVwmg+x
mHHBA6aRnIjoZr9e52WbdBB7ipJD7HrhmmiAr3LPq5wdHhZXN7Q0RGFhbiBXaWxs
ZW1zICh4YXRyMHopIDx4YXRyMHpAdXNlcnMuc291cmNlZm9yZ2UubmV0PohZBBMR
AgAZBQI9+LTXBAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDYKKUb3JFNVnnKAKCZ7KYB
yBnn227ikPHaQUS/OFy6ZQCbBt69GEc1a8ODyNQdI7Z69zDGRby5Ag0EPfi03RAI
AOXapquYF8ujevvWtlo9iqzRDZ/3u5gp/50+iAkKtxDlmGaKm70DxpYH4xNCHALT
jzrdL+FjAb4m+SwftQkcoGU8ALDKy1nQmuB7qUwblENLcqvcaflt+nEPFth3pa+x
2hcWlDyc5yi8A6zVAEeoPvZWvYJjrRL7OLAFmjC5ee15w+js64AZ8+lhhq15dEpe
s8jDPpy/tWy/oF/B6eLbmhixcBarzpfC4hwPukEHMsEImyBxRM5lFuWMVSWZRAZP
CKbabl3L6xj1aGQqk+oQwj663Pm1tx87/BZWYxbo+fXe0KcsZ4nSEyxroNhmkChZ
oIkXKsh45h2Sr4RdAaoG13MAAwYIAIZ04SMwj4OfHn+m46pyRCrnKPpzq2KjhoFw
N4EUjrU4L4HZugExghryHiFNX2Gm+FNhAMI5fOuIzCTikjzqARS95vSxvoDp+pMS
5jo6lGztWGku9PGmhqvED7mvhpLdy53bBXe0IzYK7f+8y2a7FYpFG3p9OqCdFsFb
s1Kt2XAe1kJo6cG2YYENtr+hsrzns4wMDHlxvfrU0kfhGppQhNEwVvfc0EFm3vU2
rsHdh5BFgdvLf/tBYvs9Gvgfl9td66zh0gtB1LSsl5f+Nw1hl2fco7OBsW6xm+lR
NUuky6agCIGs442sjGVhUQ5HPVhSACvLlIzuFwPI57spDiZZSR2IRgQYEQIABgUC
Pfi03QAKCRDYKKUb3JFNVnzhAJ48I2Tt2PupwJ2WVIb4pCL4XyyQngCfft4cAI0N
1UrkGQHISldIGCKNsFw=
=cKhr
-----END PGP PUBLIC KEY BLOCK-----

Next message: securityat_private: "Security Update: [CSSA-2002-059.0] Linux: multiple vulnerabilities in BIND (CERT CA-2002-31)"
Previous message: Ulf Harnhammar: "[Full-Disclosure] PHP-Nuke mail CRLF Injection vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 22:28:46 PST