w-Agora Arbitrary File Upload and Execution Flaw

2003-07-11T00:00:00
ID OSVDB:3174
Type osvdb
Reporter OSVDB
Modified 2003-07-11T00:00:00

Description

Vulnerability Description

W-Agora contains a flaw that may allow a malicious user to arbitrarily upload files. The issue is triggered when only if the forum's notes directory hasn't been restricted as recommended by W-Agora. It is possible that the flaw may allow index.php3 to be tricked into executing the uploaded files resulting in a loss of confidentiality, integrity, or availability.

Solution Description

Upgrade to version 4.1.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

W-Agora contains a flaw that may allow a malicious user to arbitrarily upload files. The issue is triggered when only if the forum's notes directory hasn't been restricted as recommended by W-Agora. It is possible that the flaw may allow index.php3 to be tricked into executing the uploaded files resulting in a loss of confidentiality, integrity, or availability.

References:

Vendor URL: http://www.w-agora.net/en/index.php Secunia Advisory ID:10422 Secunia Advisory ID:9247 Bugtraq ID: 8164