Agora Project Multiple Vulnerabilities


Description   Multiple vulnerabilities have been discovered in Agora Project, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting and SQL injection attacks.
1) Input passed via the "dossierup" parameter to module_fichier/upload/upload_filemanager.php is not properly verified before being used to upload files. This can be exploited to execute arbitrary PHP code by uploading files to arbitrary directories via directory traversal attacks.
2) Input passed via multiple parameters to various scripts is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
List of affected scripts and parameters:
http://[host]/module_utilisateurs/utilisateur.php?id_utilisateur
http://[host]/module_agenda/evenement.php?id_evenement
http://[host]/module_contact/contact.php?id_contact
http://[host]/module_contact/index.php?id_dossier
http://[host]/module_tache/index.php?id_dossier
http://[host]/module_agenda/index.php?printmode
http://[host]/module_lien/index.php?id_dossier
http://[host]/module_forum/index.php?theme
http://[host]/module_fichier/index.php?id_dossier
http://[host]/module_tableau_bord/index.php?tdb_periode
http://[host]/module_forum/index.php?theme
http://[host]/module_tache/tache.php?id_tache
NOTE: This can further be exploited to conduct cross-site scripting attacks via SQL error messages.
The vulnerabilities are confirmed in version 2.13.1. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
Agora Project 2.x
     
Solution   Edit the source code to ensure that input is properly verified and sanitised.
     
CVE  
     
References   Misa3l:
http://www.exploit-db.com/exploits/19059/
Chris Russell:
http://www.exploit-db.com/exploits/19329/
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Upload of a PHP file in a vulnerable web application
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2012-06-11 

 Target Type 
Server 

 Possible exploit 
Remote