list.php in w-Agora 4.1.6a allows remote malicious users to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter.
w-agora w-agora 4.1.6a