Multiple vulnerabilities have been identified in W-Agora, which can be exploited by malicious people to gain knowledge of sensitive information.

Sending a HTTP request for "index.php" with "info" as query-string returns various information (eg. usernames, paths, and version info).

Example:
http://[victim]/[w-agorapath]/index.php?info

It is possible to gain knowledge of the installation paths. This can be achieved by sending a HTTP request for "modules.php" and supplying invalid values for the parameters "mod" and "file".

Example:
http://[victim]/[w-agorapath]/modules.php?mod=x&file=y

Cross-Site Scripting attacks can be conducted against visitors due to an input validation error in "profile.php". This can be exploited by supplying script code as the "avatar-URL".

It has furthermore been reported that it may be possible to upload arbitrary files onto the system and then execute these. However, this is only possible if access to the directory "/forums/[sitename]/[forumname]/notes/attNr(see del_att[]
checkbox).(filename.ext).[filename.extension]" hasn't been restricted.

Reportedly, the vendor recommends that access to this directory is restricted. This issue is therefore not a vulnerability, but a misconfiguration by the system administrator.

The vulnerabilities have been reported in version 4.1.5. However, prior versions may also be affected.

Solution
Updated files have been commited to the CVS repository:
Further details available in Customer Area

Provided and/or discovered by
Martin Eiszner

Deep Links
Links available in Customer Area