w-Agora Upgrade Scripts Arbitrary Command Execution

2004-10-19T15:48:43
ID OSVDB:11254
Type osvdb
Reporter OSVDB
Modified 2004-10-19T15:48:43

Description

Vulnerability Description

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the upgrade scripts potentially allowing remote files to be included. By specifying an arbitrary PHP file on a remote server, the upgrade scripts could process it and run commands on the server. This would only affect systems that do not use or properly implement a .htaccess file.

Solution Description

Upgrade to version 4.1.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

w-Agora contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the upgrade scripts potentially allowing remote files to be included. By specifying an arbitrary PHP file on a remote server, the upgrade scripts could process it and run commands on the server. This would only affect systems that do not use or properly implement a .htaccess file.

References:

Vendor URL: http://www.w-agora.net/ Vendor Specific News/Changelog Entry: http://www.w-agora.net/current/doc/ChangeLog Keyword: Remote File Inclusion