On Sun, 2003-01-12 at 16:03, sonyy@2vias.com.ar wrote:
> - Product : w-agora
> - Tested version : version 4.1.5
> - Vendor Status: informed
> The bug :
> ==========
>
> index.php :
> $cfg_file = "${cfg_dir}/${bn}.${ext}";
>
> http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00
> http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1
AFAIK, the Null-byte attack doesn't work with PHP. It works with Perl
and some Java apps, yes, but not PHP ...
Furthermore, I've briefly audited this software 3 or 4 weeks ago, and I
check every include() call. Now (the editor is very reactive), there's
everywhere some concatenation with $ext, which is defined as ".php" in
some init files. There's probably some place where you can read some
files ending in ".php", but no more ...
As a side note, there's probably some room in PHP exploitation in the
init files (in general, ,not particulary for this app). A "well known
good practice" is too set a ".php" extension to init files in order to
protect them against bad ACL at the web-server level allowing attackers
to read their content (credentials, authentification).
But these files are not developped in the idea that they will be call
directly, and some code can probaly be subverted because of this.
No working example, it's just something I was thinking about ...
By the way, what does the editor answer to your mail ?
Nicob
