[CLOSE] OSVDB ID : 3170 - Disclosed: 2003-07-11

Description:

W-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the profile.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11252 - Disclosed: 2004-10-19

Description:

w-Agora contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the user supplied input in the quicklist.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 11240 - Disclosed: 2002-12-09

Description:

w-Agora contains a flaw related to the quicklist.php script. No further details have been provided.

[CLOSE] OSVDB ID : 10457 - Disclosed: 2004-09-29

Description:

W-Agora contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "key" variable in the "redir_url.php" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 75337 - Disclosed: 2011-03-18

Description:

W-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'bn' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 75336 - Disclosed: 2011-03-18

Description:

W-Agora contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'bn' parameter upon submission to the 'register.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 43836 - Disclosed: 2008-03-20

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 63644 - Disclosed: 2010-01-04

Description:

W-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'rss.php' script not properly sanitizing user input supplied to the 'bn' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 34380 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.

[CLOSE] OSVDB ID : 75339 - Disclosed: 2011-03-18

Description:

W-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'rss.php3' script not properly sanitizing user-supplied input to the 'site' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 75338 - Disclosed: 2011-03-18

Description:

W-Agora contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'site' parameter upon submission to the 'rss.php3' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75173 - Disclosed: 2010-10-22

Description:

W-Agora contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'bn' parameter upon submission to the search.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 34376 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error.

[CLOSE] OSVDB ID : 34382 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.

[CLOSE] OSVDB ID : 34378 - Disclosed: 2007-03-20

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.

[CLOSE] OSVDB ID : 10461 - Disclosed: 2004-09-29

Description:

w-Agora contains a flaw that may allow a malicious user to compromise user sessions. The issue due to the "thread" parameter of "subscribe_thread" script insufficently sanitizing user supplied input. By inserting specially crafted HTML/script code, a remote attacker may be able to split the HTTP response, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 11241 - Disclosed: 2002-12-09

Description:

w-Agora contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "key" variable in undisclosed scripts is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 11244 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to update.php3 not properly sanitizing user input supplied to unspecified variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28165 - Disclosed: 2003-12-10

Description:

w-Agora contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the update.php3 script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11254 - Disclosed: 2004-10-19

Description:

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the upgrade scripts potentially allowing remote files to be included. By specifying an arbitrary PHP file on a remote server, the upgrade scripts could process it and run commands on the server. This would only affect systems that do not use or properly implement a .htaccess file.

[CLOSE] OSVDB ID : 11238 - Disclosed: 2001-07-19

Description:

w-Agora contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the wa_info() function calls phpInfo(), which will disclose system information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 78267 - Disclosed: 2012-01-10

Description:

w-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the 'getMenus()' function in the codes/wcms.php script does not validate the 'p' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 78268 - Disclosed: 2012-01-10

Description:

w-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the index.php script does not validate the 'COMMENT' parameter upon submission to the codes/blog.php, codes/guestbook.php or codes/forum.php scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 32284 - Disclosed: 2006-12-14

Description:

(Description Provided by CVE) : index.php in w00t Gallery 1.4.0 allows remote authenticated users with privileges for one installation to gain access to other installations on the same web server, aka "multi-gallery admin session spanning." NOTE: some of these details are obtained from third party information.

[CLOSE] OSVDB ID : 36470 - Disclosed: 2007-07-25

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in W1L3D4_aramasonuc.asp in W1L3D4 Philboard 0.3 allows remote attackers to inject arbitrary web script or HTML via the searchterms parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 36308 - Disclosed: 2007-06-08

Description:

(Description Provided by CVE) : SQL injection vulnerability in urunbak.asp in W1L3D4 WEBmarket 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

[CLOSE] OSVDB ID : 37465 - Disclosed: 2007-05-29

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in auth.w2b in W2B Online Banking allows remote attackers to inject arbitrary web script or HTML via the adtype parameter, a different vector than CVE-2006-1980.

[CLOSE] OSVDB ID : 37467 - Disclosed: 2007-05-28

Description:

W2B Online Banking contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DocPay.w2b script not properly sanitizing user-supplied input to the listDocPay parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 44453 - Disclosed: 2008-04-15

Description:

W2B Online Banking contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input supplied to the 'ilang' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 24759 - Disclosed: 2006-04-20

Description:

W2B Online Banking contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'SID' variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.