| VID |
21920 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The w-Agora program is vulnerable to multiple remote file include vulnerabilities via the 'inc_dir' parameter. w-Agora is a freely available Web forum and publishing program for Microsoft Windows, Linux, and Unix-based operating systems written by PHP. w-Agora version 4.2.0 and possibly earlier versions are vulnerable to multiple remote file include vulnerabilities, caused by improper validation of user-supplied input passed to the 'inc_dir' parameter of the several scripts. If the register_globals is disabled, a remote attacker could send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://advisories.echo.or.id/adv/adv34-theday-2006.txt
http://secunia.com/advisories/20779/
* Platforms Affected:
Marc Druilhe, w-Agora version 4.2.0 and possibly earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of July 2006.
Upgrade to a version of w-Agora greater than 4.2.0, when new fixed version becomes available from the w-Agora Web site at http://www.w-agora.net/en/download.php
As a workaround, enable PHP's 'register_globals' setting. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
