Thanks for pointing out this bug. I will fix it ASAP. Notice that only users that have "system administrator privilege" are concerned. These users are usually "trusted" and should have all the accesses to the w-agora installation, so IMHO the security hole is not that sensible. Nethertheless, I will make a fix in the next coming days. Thanks again. -- Marc Druilhe http://www.w-agora.net/ xatr0z a écrit : > > I have found some bugs in W-Agora's forum configuration filesystem. In the > page editform.php, an admin or root user can open any file, with the "PHP > Include bug". A sample of the script: > > ***editform.php*** > <?php > # the script gets the parameter "file", puts ".php" after this, and includes > the file in the directory "forums/agora/" > include ( "forums/agora" .$_GET [ "file" ] . ".php" ); > ?> > ***editform.php*** > > With the following link, an "admin" or "root" user could open the file > "conf/agora/site_agora.php": > <URL:/editform.php?site=agora&file=../../conf/site_agora> (put the > directory of your W-Agora forum for this file) > > Ofcourse, this also works on other files. > > The next bug I found was an XSS bug in the "Administration login" page. > Here, any user could simply insert code. When a user visits the following > URI: > <URL:/editform.php?site=agora&blah=">Bug!> > > An HTML <INPUT> tag is created, and it would look like this: > <input type="hidden" NAME="blah" VALUE="\">Bug!" /> > > These are the bugs I found. Maybe that there are more XSS or include bugs in > W-Agora, but I am tired at the moment, but maybe someone will find more. > > -- > > N: D. Willems "xatr0z" > E: <xatr0z at users dot sourceforge dot net> > W: http://rootshell.be/~xatr0z > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.2.1 (MingW32) > > mQGiBD34tNcRBAD/Nhg00QameKtcq1Ut3/7/mrwcRAmnqH4cDDgIOO0Aw3XTsmM+ > 19074p7u+019tP84uk6itb4Tf7P3DQb8uwQJ2Q8wkoNbPBm3i03svw3jjwnBuRAI > +YogC/yHDpfbMF9SWqyh7K4en7IxYBu79vH55kdc8Ud+8CEjwTZI6aGWawCgsdJi > +1QlbLKDcgUI2ZGunpLuv3kEAMzNlFM4O1P5hagWiPyLI5rcozZnrTbXqu6EyOFT > 9HyOqhsdJBkcd4gWNmYk1boJqYV/thfHYfnGFQ5eWpog4pLyxZl4WanO28KHT6MX > dkXOm4RsVRu3PNrZGrbL99+lNSsQpfrksbep/xYwR41rYBy9VptaJ29KD5WIh9X0 > sR9rA/9ns6mWXrnIim0tMw5F5zYwAE0vgheeiXa9mUmNkEBuCkyqAZT/8k/n1VU9 > czT/UhS5bSaDr0NGlnWXyZKTgXAdPjsjZ9lDK7A3BON2qMrDMcTQdA8EFVVwmg+x > mHHBA6aRnIjoZr9e52WbdBB7ipJD7HrhmmiAr3LPq5wdHhZXN7Q0RGFhbiBXaWxs > ZW1zICh4YXRyMHopIDx4YXRyMHpAdXNlcnMuc291cmNlZm9yZ2UubmV0PohZBBMR > AgAZBQI9+LTXBAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDYKKUb3JFNVnnKAKCZ7KYB > yBnn227ikPHaQUS/OFy6ZQCbBt69GEc1a8ODyNQdI7Z69zDGRby5Ag0EPfi03RAI > AOXapquYF8ujevvWtlo9iqzRDZ/3u5gp/50+iAkKtxDlmGaKm70DxpYH4xNCHALT > jzrdL+FjAb4m+SwftQkcoGU8ALDKy1nQmuB7qUwblENLcqvcaflt+nEPFth3pa+x > 2hcWlDyc5yi8A6zVAEeoPvZWvYJjrRL7OLAFmjC5ee15w+js64AZ8+lhhq15dEpe > s8jDPpy/tWy/oF/B6eLbmhixcBarzpfC4hwPukEHMsEImyBxRM5lFuWMVSWZRAZP > CKbabl3L6xj1aGQqk+oQwj663Pm1tx87/BZWYxbo+fXe0KcsZ4nSEyxroNhmkChZ > oIkXKsh45h2Sr4RdAaoG13MAAwYIAIZ04SMwj4OfHn+m46pyRCrnKPpzq2KjhoFw > N4EUjrU4L4HZugExghryHiFNX2Gm+FNhAMI5fOuIzCTikjzqARS95vSxvoDp+pMS > 5jo6lGztWGku9PGmhqvED7mvhpLdy53bBXe0IzYK7f+8y2a7FYpFG3p9OqCdFsFb > s1Kt2XAe1kJo6cG2YYENtr+hsrzns4wMDHlxvfrU0kfhGppQhNEwVvfc0EFm3vU2 > rsHdh5BFgdvLf/tBYvs9Gvgfl9td66zh0gtB1LSsl5f+Nw1hl2fco7OBsW6xm+lR > NUuky6agCIGs442sjGVhUQ5HPVhSACvLlIzuFwPI57spDiZZSR2IRgQYEQIABgUC > Pfi03QAKCRDYKKUb3JFNVnzhAJ48I2Tt2PupwJ2WVIb4pCL4XyyQngCfft4cAI0N > 1UrkGQHISldIGCKNsFw= > =cKhr > -----END PGP PUBLIC KEY BLOCK-----
