Re: XSS and PHP include bug in W-Agora

[Marc Druilhe <mdruilhe () w-agora net>]

Thanks for pointing out this bug. I will fix it ASAP.
Notice that only users that have "system administrator privilege" are concerned. These users are usually
"trusted" and should have all the accesses to the w-agora installation, so IMHO the security hole is not that
sensible.
Nethertheless, I will make a fix in the next coming days.

Thanks again.
-- 
Marc Druilhe
http://www.w-agora.net/

xatr0z a écrit :
> I have found some bugs in W-Agora's forum configuration filesystem. In the
> page editform.php, an admin or root user can open any file, with the "PHP
> Include bug". A sample of the script:
>
> ***editform.php***
> <?php
> # the script gets the parameter "file", puts ".php" after this, and includes
> the file in the directory "forums/agora/"
> include ( "forums/agora"  .$_GET [ "file" ] . ".php" );
> ?>
> ***editform.php***
>
> With the following link, an "admin" or "root" user could open the file
> "conf/agora/site_agora.php":
> <URL:/editform.php?site=agora&file=../../conf/site_agora> (put the
> directory of your W-Agora forum for this file)
>
> Ofcourse, this also works on other files.
>
> The next bug I found was an XSS bug in the "Administration login" page.
> Here, any user could simply insert code. When a user visits the following
> URI:
> <URL:/editform.php?site=agora&blah=">Bug!>
>
> An HTML <INPUT> tag is created, and it would look like this:
> <input type="hidden" NAME="blah" VALUE="\">Bug!" />
>
> These are the bugs I found. Maybe that there are more XSS or include bugs in
> W-Agora, but I am tired at the moment, but maybe someone will find more.
>
> --
>
> N: D. Willems "xatr0z"
> E: <xatr0z at users dot sourceforge dot net>
> W: http://rootshell.be/~xatr0z
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.2.1 (MingW32)
>
> mQGiBD34tNcRBAD/Nhg00QameKtcq1Ut3/7/mrwcRAmnqH4cDDgIOO0Aw3XTsmM+
> 19074p7u+019tP84uk6itb4Tf7P3DQb8uwQJ2Q8wkoNbPBm3i03svw3jjwnBuRAI
> +YogC/yHDpfbMF9SWqyh7K4en7IxYBu79vH55kdc8Ud+8CEjwTZI6aGWawCgsdJi
> +1QlbLKDcgUI2ZGunpLuv3kEAMzNlFM4O1P5hagWiPyLI5rcozZnrTbXqu6EyOFT
> 9HyOqhsdJBkcd4gWNmYk1boJqYV/thfHYfnGFQ5eWpog4pLyxZl4WanO28KHT6MX
> dkXOm4RsVRu3PNrZGrbL99+lNSsQpfrksbep/xYwR41rYBy9VptaJ29KD5WIh9X0
> sR9rA/9ns6mWXrnIim0tMw5F5zYwAE0vgheeiXa9mUmNkEBuCkyqAZT/8k/n1VU9
> czT/UhS5bSaDr0NGlnWXyZKTgXAdPjsjZ9lDK7A3BON2qMrDMcTQdA8EFVVwmg+x
> mHHBA6aRnIjoZr9e52WbdBB7ipJD7HrhmmiAr3LPq5wdHhZXN7Q0RGFhbiBXaWxs
> ZW1zICh4YXRyMHopIDx4YXRyMHpAdXNlcnMuc291cmNlZm9yZ2UubmV0PohZBBMR
> AgAZBQI9+LTXBAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDYKKUb3JFNVnnKAKCZ7KYB
> yBnn227ikPHaQUS/OFy6ZQCbBt69GEc1a8ODyNQdI7Z69zDGRby5Ag0EPfi03RAI
> AOXapquYF8ujevvWtlo9iqzRDZ/3u5gp/50+iAkKtxDlmGaKm70DxpYH4xNCHALT
> jzrdL+FjAb4m+SwftQkcoGU8ALDKy1nQmuB7qUwblENLcqvcaflt+nEPFth3pa+x
> 2hcWlDyc5yi8A6zVAEeoPvZWvYJjrRL7OLAFmjC5ee15w+js64AZ8+lhhq15dEpe
> s8jDPpy/tWy/oF/B6eLbmhixcBarzpfC4hwPukEHMsEImyBxRM5lFuWMVSWZRAZP
> CKbabl3L6xj1aGQqk+oQwj663Pm1tx87/BZWYxbo+fXe0KcsZ4nSEyxroNhmkChZ
> oIkXKsh45h2Sr4RdAaoG13MAAwYIAIZ04SMwj4OfHn+m46pyRCrnKPpzq2KjhoFw
> N4EUjrU4L4HZugExghryHiFNX2Gm+FNhAMI5fOuIzCTikjzqARS95vSxvoDp+pMS
> 5jo6lGztWGku9PGmhqvED7mvhpLdy53bBXe0IzYK7f+8y2a7FYpFG3p9OqCdFsFb
> s1Kt2XAe1kJo6cG2YYENtr+hsrzns4wMDHlxvfrU0kfhGppQhNEwVvfc0EFm3vU2
> rsHdh5BFgdvLf/tBYvs9Gvgfl9td66zh0gtB1LSsl5f+Nw1hl2fco7OBsW6xm+lR
> NUuky6agCIGs442sjGVhUQ5HPVhSACvLlIzuFwPI57spDiZZSR2IRgQYEQIABgUC
> Pfi03QAKCRDYKKUb3JFNVnzhAJ48I2Tt2PupwJ2WVIb4pCL4XyyQngCfft4cAI0N
> 1UrkGQHISldIGCKNsFw=
> =cKhr
> -----END PGP PUBLIC KEY BLOCK-----