[CLOSE] OSVDB ID : 75334 - Disclosed: 2011-03-16

Description:

W-Agora contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'bn' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 31669 - Disclosed: 2007-03-19

Description:

(Description Provided by CVE) : w-agora 4.2.1 allows remote attackers to obtain sensitive information by via the (1) bn[] array parameter to index.php, which expects a string, and (2) certain parameters to delete_forum.php, which displays the path name in the resulting error message.

[CLOSE] OSVDB ID : 39883 - Disclosed: 2007-12-30

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in w-Agora 4.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter.

[CLOSE] OSVDB ID : 3173 - Disclosed: 2003-07-11

Description:

W-Agora contains a feature that may lead to an unauthorized information disclosure. The issue is triggered when index.php is requested with "about" or "info" as the query, which will disclose user names, database-systems, paths, and versions resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 34381 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.

[CLOSE] OSVDB ID : 18831 - Disclosed: 2005-08-18

Description:

(Description Provided by CVE) : Directory traversal vulnerability in index.php in W-Agora 4.2.0 and earlier allows remote attackers to read arbitrary files via the site parameter.

[CLOSE] OSVDB ID : 11246 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php3 not properly sanitizing user input supplied to unspecified variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28167 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the index.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 20060 - Disclosed: 2005-10-17

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 27202 - Disclosed: 2006-06-22

Description:

W-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the insert.php script not properly sanitizing user input before being called by other scripts. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 11245 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to insert.php3 not properly sanitizing user input supplied to unspecified variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28166 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the insert.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 75335 - Disclosed: 2011-03-16

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 10462 - Disclosed: 2004-09-29

Description:

(Description Provided by CVE) : list.php in w-Agora 4.1.6a allows remote attackers to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter.

[CLOSE] OSVDB ID : 11251 - Disclosed: 2004-10-19

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input upon submission to the list.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 10459 - Disclosed: 2004-09-29

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "loginuser" variables upon submission to the login.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 75170 - Disclosed: 2010-10-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 43834 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 43835 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 11236 - Disclosed: 2001-03-07

Description:

w-Agora contains a flaw that may allow a malicious forum moderator to make changes to arbitrary forums. The issue is triggered due to the authentication module not properly validating a moderator's credentials. This may allow a person given specific forum moderation privileges to moderate any forum.

[CLOSE] OSVDB ID : 54099 - Disclosed: 2003-01-11

Description:

W-Agora contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when specially crafted URL request is made with directory transversing "dot dot" sequences to either "index.php3" or "modules.php3" occurs, which will disclose any known file that the web server can access resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 3172 - Disclosed: 2003-07-11

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the mod and file variables upon submission to the modules.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 28168 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the modules.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11247 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to conduct cross site scripting attacks and/or include arbitrary PHP commands or files. The issue is due to the modules.php3 script not properly sanitizing user input allowing for such attacks. No further details have been provided.

[CLOSE] OSVDB ID : 11239 - Disclosed: 2002-06-08

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the scripts in the 'include' and 'user' directories not properly sanitizing user input supplied to the 'inc_dir' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 11242 - Disclosed: 2002-12-09

Description:

w-Agora contains a flaw related to the "where" and "sort" URL arguments, as related to the "before_access" function. No further details have been provided.

[CLOSE] OSVDB ID : 75171 - Disclosed: 2010-10-27

Description:

W-Agora on Windows contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'for-print.php3' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'bn' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 75172 - Disclosed: 2010-10-27

Description:

W-Agora on Windows contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'login.php3' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'bn' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 75174 - Disclosed: 2010-10-22

Description:

W-Agora on Windows contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'search.php3' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'bn' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 34377 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.