Agora.cgi Debug Mode Path Disclosure Vulnerability

vendor:

Agora.cgi

by:

SecurityFocus

2.6

CVSS

LOW

Path Disclosure

200

CWE

Product Name: Agora.cgi

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Agora.cgi Debug Mode Path Disclosure Vulnerability

When debug mode is enabled, it is possible for a remote attacker to display the absolute path to the directory that the agora.cgi script is stored in. This is possible by making a web request for a non-existent .html file.

Mitigation:

Disable debug mode in the agora.cgi script.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3976/info

Agora.cgi is a freely available, open source shopping cart system. 

When debug mode is enabled, it is possible for a remote attacker to display the absolute path to the directory that the agora.cgi script is stored in. This is possible by making a web request for a non-existent .html file.

The remote attacker may potentially use the disclosed information to aid in further "intelligent" attacks against the host running the vulnerable software.

The following example is sufficient to reproduce this issue:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=pretendpage.html

where pretendpage.html is a non-existent .html file.