[VIM] W-Agora v.4.2.1 Multiple Vulnerabilities

George A. Theall theall at tenablesecurity.com
Tue Jan 5 14:44:02 UTC 2010

  Exploit DB 10999 / Bugtraq 37610 concern a file inclusion  
vulnerability in w-agora 4.2.1 and include the following PoC: 

Here's the code from the affected file, as included in the  
distribution file included with the Exploit DB advisory:

                          ----- snip, snip, snip -----
	$bn =  preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('bn'));
	$site =  preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('site'));
	if (empty ($bn) ) {
		$site = basename($site);
		include ("$cfg_dir/site_${site}.$ext");
	} else {
		$bn = basename($bn);
		include ("$cfg_dir/$bn.$ext");
                          ----- snip, snip, snip -----

[There are two calls before this snippet to 'include()', but tracing  
through those, I don't see any place where the 'bn' parameter could be  
used to include PHP code.]

The preg_replace() calls sanitize '$bn' and '$site' by removing any  
characters that aren't alphanumeric or an underscore so I don't see  
how indoushka's PoC can work.  Nor do I see how this could be a  
*remote* file include attack, as the PoC suggests and SecurityFocus  

theall at tenablesecurity.com

More information about the VIM mailing list