I have found some bugs in W-Agora's forum configuration filesystem. In the page editform.php, an admin or root user can open any file, with the "PHP Include bug". A sample of the script: ***editform.php*** <?php # the script gets the parameter "file", puts ".php" after this, and includes the file in the directory "forums/agora/" include ( "forums/agora" .$_GET [ "file" ] . ".php" ); ?> ***editform.php*** With the following link, an "admin" or "root" user could open the file "conf/agora/site_agora.php": <URL:/editform.php?site=agora&file=../../conf/site_agora> (put the directory of your W-Agora forum for this file) Ofcourse, this also works on other files. The next bug I found was an XSS bug in the "Administration login" page. Here, any user could simply insert code. When a user visits the following URI: <URL:/editform.php?site=agora&blah=">Bug!> An HTML <INPUT> tag is created, and it would look like this: <input type="hidden" NAME="blah" VALUE="\">Bug!" /> These are the bugs I found. Maybe that there are more XSS or include bugs in W-Agora, but I am tired at the moment, but maybe someone will find more. -- N: D. Willems "xatr0z" E: <xatr0z at users dot sourceforge dot net> W: http://rootshell.be/~xatr0z -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (MingW32) mQGiBD34tNcRBAD/Nhg00QameKtcq1Ut3/7/mrwcRAmnqH4cDDgIOO0Aw3XTsmM+ 19074p7u+019tP84uk6itb4Tf7P3DQb8uwQJ2Q8wkoNbPBm3i03svw3jjwnBuRAI +YogC/yHDpfbMF9SWqyh7K4en7IxYBu79vH55kdc8Ud+8CEjwTZI6aGWawCgsdJi +1QlbLKDcgUI2ZGunpLuv3kEAMzNlFM4O1P5hagWiPyLI5rcozZnrTbXqu6EyOFT 9HyOqhsdJBkcd4gWNmYk1boJqYV/thfHYfnGFQ5eWpog4pLyxZl4WanO28KHT6MX dkXOm4RsVRu3PNrZGrbL99+lNSsQpfrksbep/xYwR41rYBy9VptaJ29KD5WIh9X0 sR9rA/9ns6mWXrnIim0tMw5F5zYwAE0vgheeiXa9mUmNkEBuCkyqAZT/8k/n1VU9 czT/UhS5bSaDr0NGlnWXyZKTgXAdPjsjZ9lDK7A3BON2qMrDMcTQdA8EFVVwmg+x mHHBA6aRnIjoZr9e52WbdBB7ipJD7HrhmmiAr3LPq5wdHhZXN7Q0RGFhbiBXaWxs ZW1zICh4YXRyMHopIDx4YXRyMHpAdXNlcnMuc291cmNlZm9yZ2UubmV0PohZBBMR AgAZBQI9+LTXBAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDYKKUb3JFNVnnKAKCZ7KYB yBnn227ikPHaQUS/OFy6ZQCbBt69GEc1a8ODyNQdI7Z69zDGRby5Ag0EPfi03RAI AOXapquYF8ujevvWtlo9iqzRDZ/3u5gp/50+iAkKtxDlmGaKm70DxpYH4xNCHALT jzrdL+FjAb4m+SwftQkcoGU8ALDKy1nQmuB7qUwblENLcqvcaflt+nEPFth3pa+x 2hcWlDyc5yi8A6zVAEeoPvZWvYJjrRL7OLAFmjC5ee15w+js64AZ8+lhhq15dEpe s8jDPpy/tWy/oF/B6eLbmhixcBarzpfC4hwPukEHMsEImyBxRM5lFuWMVSWZRAZP CKbabl3L6xj1aGQqk+oQwj663Pm1tx87/BZWYxbo+fXe0KcsZ4nSEyxroNhmkChZ oIkXKsh45h2Sr4RdAaoG13MAAwYIAIZ04SMwj4OfHn+m46pyRCrnKPpzq2KjhoFw N4EUjrU4L4HZugExghryHiFNX2Gm+FNhAMI5fOuIzCTikjzqARS95vSxvoDp+pMS 5jo6lGztWGku9PGmhqvED7mvhpLdy53bBXe0IzYK7f+8y2a7FYpFG3p9OqCdFsFb s1Kt2XAe1kJo6cG2YYENtr+hsrzns4wMDHlxvfrU0kfhGppQhNEwVvfc0EFm3vU2 rsHdh5BFgdvLf/tBYvs9Gvgfl9td66zh0gtB1LSsl5f+Nw1hl2fco7OBsW6xm+lR NUuky6agCIGs442sjGVhUQ5HPVhSACvLlIzuFwPI57spDiZZSR2IRgQYEQIABgUC Pfi03QAKCRDYKKUb3JFNVnzhAJ48I2Tt2PupwJ2WVIb4pCL4XyyQngCfft4cAI0N 1UrkGQHISldIGCKNsFw= =cKhr -----END PGP PUBLIC KEY BLOCK-----
