[原文]CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the thread parameter.
Multiple vulnerabilities are reported to affect the application. These issues arise due to insufficient sanitization of user-supplied data. A remote attacker may leverage these vulnerabilities to carry out SQL injection, cross-site scripting, and HTTP response splitting attacks.
These issues were identified in W-Agora 4.1.6a, however, it is possible that other versions are also affected.
w-Agora contains a flaw that may allow a malicious user to compromise user sessions. The issue due to the "thread" parameter of "subscribe_thread" script insufficently sanitizing user supplied input. By inserting specially crafted HTML/script code, a remote attacker may be able to split the HTTP response, resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.