W-Agora Input Validation Holes in 'redir_url' and Other Scripts Permit SQL Injection, Cross-Site Scripting, and Response Splitting Attacks - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > W-Agora

Vendors: Druilhe, Marc

W-Agora Input Validation Holes in 'redir_url' and Other Scripts Permit SQL Injection, Cross-Site Scripting, and Response Splitting Attacks

SecurityTracker Alert ID: 1011463

SecurityTracker URL: http://securitytracker.com/id/1011463

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Sep 30 2004

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Version(s): 4.1.6a

Description: Several vulnerabilities were reported in W-Agora. A remote user can inject SQL commands. A remote user can conduct cross-site scripting and HTTP response splitting attacks. A remote user can also determine the installation path.

Alexander Antipov reported that Positive Technologies discovered that the 'redir_url.php' script does not properly validate user-supplied input in the 'key' variable. A remote user can supply specially crafted input for that variable to execute SQL commands on the underlying database. A demonstration exploit URL is provided:

redir_url.php?bn=demos_links&key=[SQL]

It is also reported that 'download_thread.php', 'login.php', and 'forgot_password.php' do not properly filter HTML code from user-supplied input. A remote user can create a specially crafted URL or POST request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the W-Agora software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

download_thread.php?site=support&bn=support_install&thread=[XSS code here]

Some demonstration exploit POST requests are provided:

POST /login.php HTTP/1.1
Host: w-agora
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
loginform=1&redirect_url=1&loginuser=[XSS code here]&loginpassword=1

POST /forgot_password.php HTTP/1.1
Host: w-agora
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
go=1&userid=[XSS code here]

It is also reported that a remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit URL is provided:

/subscribe_thread.php?site=support&bn=support_in
stall&thread=%0d%0aContent-Length:%200%0d%0a%0d%0a%20200%20OK%0d%0aConte
nt-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScan
ned%20by%20PTsecurity%3c/html%3e%0d%0a

A remote user can supply the following URL to cause the system to disclose the installation path:

/list.php?bn=support_install&last=19&collapse=|id|

Impact: A remote user can inject SQL commands to be executed on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the W-Agora software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

A remote user can determine the installation path.

Solution: The vendor has issued a fix, available via CVS.

The fixed components are subscribe_thread.php3 (v 1.17), forgot_password.php3 (v1.17), include/auth.php (v1.45), and list.php3 (v1.53).

Vendor URL: www.w-agora.net/ (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

(Vendor Issues Fix) W-Agora Input Validation Holes in 'redir_url' and Other Scripts Permit SQL Injection, Cross-Site Scripting, and Response Splitting Attacks
The vendor has issued a fixed version.

Source Message Contents

Date: Thu, 30 Sep 2004 12:41:17 +0400
Subject: [Full-Disclosure] Multiple vulnerabilities in w-agora forum


http://www.maxpatrol.com/mp_advisory.asp

Title: Multiple vulnerabilities in w-agora  forum
Date: 28.09.04
Severity: Medium
Application: w-agora 4.1.6a, http://www.w-agora/en/download.php
Platform: PHP
 
 I. DESCRIPTION
 
 Multiple vulnerabilities were found in w-agora forum. A remote user 
 can conduct SQL injection attack, HTTP response splitting and Cross
site 
 Scripting attack.

 1. SQL injection
 
redir_url.php?bn=demos_links&key=[SQL]
 
 2. XSS in GET:

download_thread.php?site=support&bn=support_install&thread=[XSS 
 code here]
 
 3. XSS in POST:

 
 POST /login.php HTTP/1.1
 Host: w-agora
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 89
 loginform=1&redirect_url=1&loginuser=[XSS code here]&loginpassword=1
 
  
  POST /forgot_password.php HTTP/1.1
 Host: w-agora
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 48
 go=1&userid=[XSS code here]
 
  
 4. HTTP response splitting
 
/subscribe_thread.php?site=support&bn=support_in
 
stall&thread=%0d%0aContent-Length:%200%0d%0a%0d%0a%20200%20OK%0d%0aConte
nt-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScan
ned%20by%20PTsecurity%3c/html%3e%0d%0a

5. Path discourse
/list.php?bn=support_install&last=19&collapse=|id|

II. IMPACT

----------
A remote user can access the target user's cookies (including
authentication cookies).   
A remote user can cause SQL commands to be executed by the underlying
database.

III. SOLUTION

-------------
Yes
  


IV. VENDOR FIX/RESPONSE

-----------------------


Yes, Fixed in CVS : subscribe_thread.php3,v 1.17, forgot_password.php3
v1.17, include/auth.php v1.45, list.php3 v1.53, 
 

 V. CREDIT

-------------

 This vulnerability was discovered by Positive Technologies using
MaxPatrol (www.maxpatrol.com) - intellectual professional security
scanner. It is able to detect a substantial amount of vulnerabilities
not published yet. MaxPatrol's intelligent algorithms are also capable
to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
code injections, HTTP Response splitting and other).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC