Hello Bugtraq! I want to warn you about Cross-Site Scripting and Local File Inclusion vulnerabilities in W-Agora. In addition to vulnerabilities in this system which I found and disclosed in 2006 (SecurityVulns ID: 6960). ------------------------- Affected products: ------------------------- Vulnerable are W-Agora 4.2.1 and previous versions. ---------- Details: ---------- XSS (WASC-08): http://site/news/search.php3?bn=%3Cbody%20onload=alert(document.cookie)% 3E Local File Inclusion (WASC-31): It's possible to include php-files (with extension php3 in version W-Agora 4.1.5 or with extension php in version 4.2.1). In folder conf: http://site/news/search.php3?bn=1 In any folder (only on Windows-servers): http://site/news/search.php3?bn=..\1 In last versions of the system search.php3 has name search.php. ------------ Timeline: ------------ 2010.08.27 - announced at my site. 2010.08.29 - informed developers. Developers of W-Agora didn't answer and didn't fix the holes (unlike in 2006). 2010.10.22 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4481/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua