Bugtraq mailing list archives
Re: Bug in w-agora
From: Nicob <nicob () nicob net>
Date: 16 Jan 2003 00:07:12 +0100
On Sun, 2003-01-12 at 16:03, sonyy () 2vias com ar wrote:
- Product : w-agora - Tested version : version 4.1.5 - Vendor Status: informed
The bug : ========== index.php : $cfg_file = "${cfg_dir}/${bn}.${ext}"; http://www.w-agora.net/current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00 http://www.w-agora.net/current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1
AFAIK, the Null-byte attack doesn't work with PHP. It works with Perl and some Java apps, yes, but not PHP ... Furthermore, I've briefly audited this software 3 or 4 weeks ago, and I check every include() call. Now (the editor is very reactive), there's everywhere some concatenation with $ext, which is defined as ".php" in some init files. There's probably some place where you can read some files ending in ".php", but no more ... As a side note, there's probably some room in PHP exploitation in the init files (in general, ,not particulary for this app). A "well known good practice" is too set a ".php" extension to init files in order to protect them against bad ACL at the web-server level allowing attackers to read their content (credentials, authentification). But these files are not developped in the idea that they will be call directly, and some code can probaly be subverted because of this. No working example, it's just something I was thinking about ... By the way, what does the editor answer to your mail ? Nicob
Current thread:
- Bug in w-agora sonyy (Jan 15)
- Re: Bug in w-agora Nicob (Jan 17)
- Re: Bug in w-agora Ian Clelland (Jan 21)
- Re: Bug in w-agora Nicob (Jan 17)