____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_59$2006 ----------------------------------------------------------------------------------------------- [ECHO_ADV_59$2006]Agora 1.4 RC1 "$_SESSION[PATH_COMPOSANT]" Remote File Inclusion Vulnerability ----------------------------------------------------------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : November, 01nd 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv59-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Agora version : 1.4 RC1 URL : http://www.agora.gouv.fr Based on the free software Spip, Agora is a free software of management of contents for Internet developed in php, which makes it possible to put in place and to manage quickly and with lower cost of the Internet sites, Intranet or extranet. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php --------------------------modules/Mysqlfinder/MysqlfinderAdmin.php---------- ....