[CLOSE] OSVDB ID : 43828 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 11237 - Disclosed: 2001-03-07

Description:

w-Agora contains a flaw related to the "no_auth" variable in the admin.php3 script. No further details have been provided.

[CLOSE] OSVDB ID : 3174 - Disclosed: 2003-07-11

Description:

W-Agora contains a flaw that may allow a malicious user to arbitrarily upload files. The issue is triggered when only if the forum's notes directory hasn't been restricted as recommended by W-Agora. It is possible that the flaw may allow index.php3 to be tricked into executing the uploaded files resulting in a loss of confidentiality, integrity, or availability.

[CLOSE] OSVDB ID : 11250 - Disclosed: 2004-10-19

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input upon submission to the auth.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11248 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to auth.php3 not properly sanitizing user input supplied to unspecified variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28169 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the auth.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11243 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to browse.php3 not properly sanitizing user input supplied to unspecified variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28170 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the browse.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 20059 - Disclosed: 2005-10-17

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 34384 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.

[CLOSE] OSVDB ID : 34379 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.

[CLOSE] OSVDB ID : 43829 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 43830 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 31668 - Disclosed: 2007-03-19

Description:

w-Agora contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a specially-crafted URL request with an invalid parameter is passed to delete_forum.php, leading to a fatal error due to a call to an undefined function msgform() in delete_forum.php. The error information discloses the true path of the server-side scripts, resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 43831 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 43832 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 10458 - Disclosed: 2004-09-29

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "thread" variables upon submission to the "download_thread.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 43833 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 38025 - Disclosed: 2002-12-19

Description:

(Description Provided by CVE) : Cross-site scripting vulnerability (XSS) in editform.php for w-Agora 4.1.5 allows remote attackers to execute arbitrary web script via an arbitrary form field name containing the script, which is echoed back to the user when displaying the form.

[CLOSE] OSVDB ID : 3169 - Disclosed: 2002-12-19

Description:

W-Agora contains a flaw that may allow an "admin" or "root" user to include php files. The issue is triggered when a specially crafted URL request to ediform.php3 occurs. It is possible that the flaw may allow execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

[CLOSE] OSVDB ID : 20058 - Disclosed: 2005-10-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 75169 - Disclosed: 2010-10-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 10460 - Disclosed: 2004-09-30

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'userid' variables upon submission to the 'forgot_password.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 34383 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.

[CLOSE] OSVDB ID : 87220 - Disclosed: 2012-08-17

Description:

w-Agora contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the getfile.php script not properly sanitizing user-supplied input to the 'att_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 87219 - Disclosed: 2012-08-17

Description:

w-Agora contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'att_id' parameter upon submission to the getfile.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75333 - Disclosed: 2011-03-16

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 31670 - Disclosed: 2007-03-19

Description:

w-Agora contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker appends "/globals.inc" to the end of a request, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 25295 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in w-Agora (aka Web-Agora) 4.2.0 allows remote attackers to inject arbitrary web script or HTML via a post with a BBCode tag that contains a JavaScript event name followed by whitespace before the '=' (equals) character, which bypasses a restrictive regular expression that attempts to remove onmouseover and other events.

[CLOSE] OSVDB ID : 11249 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to access normally protected scripts. The issue is due to the default .htaccess file only restricting GET requests. This could allow an attacker to request and interact with scripts using the POST method.