W-Agora v.4.2.1 Multiple Security Vulnerabilities

Description
1) The browse_avatar.php script fails to validate the extension of an uploaded file. This can be exploited to upload files with the ".php" extension and execute arbitrary PHP code on the server.
Successful exploitation requires passing an allowed MIME media type in the HTTP headers.
2) Input passed to the "search_forum" parameter in search.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Input passed to the "showuser" parameter in profile.php is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Confirmed in version available at 4.2.1. Other versions may also be affected.

Impact
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site, upload arbitrary files to a location inside the web root (e.g. a PHP script) and/or manipulate SQL queries by injecting arbitrary SQL code.

References
Original Advisory
Product Homepage

View entire list of over 400 known Web Application Vulnerabilities and the specific technologies which they target. See Web Vulnerabilities in popular applications such as: WordPress, Tiki Wiki, PHPNuke, PHPMyAdmin, phpBB, Mambo, PHP-Fusion, Mantis, Invision Power Board

Get latest new web vulnerabilities via RSS