============================= Security REPORT W-Agora 4.1.5 ============================= Product: W-Agora 4.1.5 (maybe earlier) Vulnerablities: information disclosure, path disclosure, arbitrary file-upload, OS command execution, cross site scripting Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components" Vendor: W-Agora Services (http://www.w-agora.com/) Vendor-Status: contacted "info@w-agora.net" on Jul.6th 2003 Vendor-Patchs: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/modules.php3?rev=1.2 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/index.php3?rev=1.15 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/insert.php3?rev=1.78 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/w-agora/w-agora4/update.php3?rev=1.63 Exploitable: Local: --- Remote: YES ============ Introduction ============ Visit "http://www.w-agora.com/en/index.php" for additional information. ===================== Vulnerability Details ===================== 1) INFO DISCLOSURE ================== OBJECT: index.php DESCRIPTION: By requesting "info" as QUERY-STRING the system gives out sensitive information about usernames, database-systems, paths and other version-infos. EXAMPLE: ---*--- http-request http://servername/w-agorapath/index.php?info ---*--- 2) PATH DISCLOSURE ================== OBJECT: modules.php DESCRIPTION: Requesting "modules.php" with invalid "mod" - and "file" parameters leads to disclosure of system installation paths. EXAMPLE: ---*--- http-request http://servername/w-agorapath/modules.php?mod=x&file=y ---*--- 3) ARBITRARY FILE UPLOADS ========================= OBJECT: insert.php DESCRIPTION: If allowed uploaded files are saved in the directory: ---*--- /forums/[sitename]/[forumname]/notes/attNr(see del_att[] checkbox).(filename.ext).[filename.extension] ---*--- If this directory is not protected (as recommanded by w-agora), it is possible to access these files thru http-requests. Combined with uploaded scripts this leads to "Arbitrary OS command execution"! 4) ARBITRARY OS COMMAND EXECUTION ================================= OBJECT: index.php DESCRIPTION: The "action" paramater allows the insertion of files with a valid "script-extension". Combined with Pt.3) this leads to arbitrary OS command execution. EXAMPLE: ---*--- http-request http://servername/w-agorapath/index.php? with params: bn=[validsitename]_[forumname] &action=forums/[sitename]/[forumname]/notes/[att-nr].[scriptname_without_extension] ---*--- 5) CROSS SITE SCRIPTING / COOKIE THEFT ====================================== OBJECT: profile.php DESCRIPTION: By changing the value of the "avatar-URL" client side scripts can be executed. Thus leading to cooke- and account(including admin) theft (cookies are used for authentication). EXAMPLE: changing the "avatar" - value to: ---*--- "http://wl.sk.net/ealsdk.gif' onError='javascript:alert(document.cookie)" ---*--- leads to execution of JS. ======= Remarks ======= --- ==================== Recommended Hotfixes ==================== software patch(es). EOF Martin Eiszner / @2003WebSec.org ======= Contact ======= WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE meiat_private http://www.websec.org