Home page logo

bugtraq logo Bugtraq mailing list archives

Vulnerabilities in W-Agora
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 22 Oct 2010 23:43:30 +0300

Hello Bugtraq!

I want to warn you about Cross-Site Scripting and Local File Inclusion vulnerabilities in W-Agora. In addition to vulnerabilities in this system which I found and disclosed in 2006 (SecurityVulns ID: 6960).

Affected products:

Vulnerable are W-Agora 4.2.1 and previous versions.


XSS (WASC-08):


Local File Inclusion (WASC-31):

It's possible to include php-files (with extension php3 in version W-Agora 4.1.5 or with extension php in version 4.2.1).

In folder conf:


In any folder (only on Windows-servers):


In last versions of the system search.php3 has name search.php.


2010.08.27 - announced at my site.
2010.08.29 - informed developers. Developers of W-Agora didn't answer and didn't fix the holes (unlike in 2006).
2010.10.22 - disclosed at my site.

I mentioned about these vulnerabilities at my site

Best wishes & regards,
Administrator of Websecurity web site

  By Date           By Thread  

Current thread:
  • Vulnerabilities in W-Agora MustLive (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]