w-Agora :: News
W-Agora homepage w-agora home page All you want to know about w-agora Demonstration (Test w-agora here) Download w-agora Help, support, Documentation Services that we can offer @ w-agora.com Contact Us

 Overview | News | Quotes | Galery

You are here: Home > News  W-Agora en français W-Agora in english 
Menu
   Overview
   News
   Quotes
   Galery

w-agora website hosting and design
Project hosted at SourceForge freshmeat.net
sponsors
Crédit en ligne
w-Agora : News
w-Agora news
        Subscribe to the w-Agora news-letter
Search:

  *** SECURITY VULNERABILITY IN W-AGORA ***

[ 12-Jun-2002 ]
A security hole has been found in w-agora that may allow a remote user to execute arbitrary PHP scripts on the server on which w-agora resides.
This security hole affects all w-agora versions less or equal to w-agora 4.1.3

You will find more informations at:
http://www.phpadvisory.com/advisories/view.phtml?ID=31.

Affected Files
---------------
- include/oci8.php
- include/postgres.php
- include/postgres65.php
- include/mysql.php
- include/mssql7.php
- include/msql.php

- user/agora_user.php
- user/ldap_example.php

SOLUTION
------------
1. A fast workaround to this issue is to protect the directories include/ and user/ with a .htaccess file.
Just copy the .htaccess file from the conf/ diretory

2. You can edit the affected files by replacing the line
include ("$inc_dir/dbaccess.$ext");
with:
include ("include/dbaccess.$ext");

OR by adding :

if (!defined('_GLOBALS')) {
die('Hacking attempt');
}
at the top of each affected files.

3. The fix is included in the 4.1.4 release
Top of page     Home | About | Demos | Download | Support | Services | Contact     Top of page