[VIM] W-Agora v.4.2.1 Multiple Vulnerabilities
George A. Theall
theall at tenablesecurity.com
Tue Jan 5 14:44:02 UTC 2010
Exploit DB 10999 / Bugtraq 37610 concern a file inclusion
vulnerability in w-agora 4.2.1 and include the following PoC:
http://127.0.0.1/w-agora/rss.php?site=http127001wagora&bn=http://127.0.0.1/c.txt
?
Here's the code from the affected file, as included in the
distribution file included with the Exploit DB advisory:
----- snip, snip, snip -----
$bn = preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('bn'));
$site = preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('site'));
...
if (empty ($bn) ) {
$site = basename($site);
include ("$cfg_dir/site_${site}.$ext");
} else {
$bn = basename($bn);
include ("$cfg_dir/$bn.$ext");
}
----- snip, snip, snip -----
[There are two calls before this snippet to 'include()', but tracing
through those, I don't see any place where the 'bn' parameter could be
used to include PHP code.]
The preg_replace() calls sanitize '$bn' and '$site' by removing any
characters that aren't alphanumeric or an underscore so I don't see
how indoushka's PoC can work. Nor do I see how this could be a
*remote* file include attack, as the PoC suggests and SecurityFocus
claims.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list