WikkaWiki wikka.php Method() Function Arbitrary Page Access

2006-06-16T09:49:08
ID OSVDB:26543
Type osvdb
Reporter Munehiro Yamakawa(), Philipp A. Hartmann()
Modified 2006-06-16T09:49:08

Description

Vulnerability Description

WikkaWiki contains a flaw that allows a remote arbitrary page access. This flaw exists because the application does not use correctly the strstr() function within the Method() function upon submission to the wikka.php script. This could allow a user to create a specially crafted URL that would allow arbitrary page access leading to a loss of integrity.

Solution Description

Upgrade to version 1.1.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WikkaWiki contains a flaw that allows a remote arbitrary page access. This flaw exists because the application does not use correctly the strstr() function within the Method() function upon submission to the wikka.php script. This could allow a user to create a specially crafted URL that would allow arbitrary page access leading to a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://wikkawiki.org/WikkaReleaseNotes Vendor Specific News/Changelog Entry: http://wush.net/trac/wikka/ticket/36 Secunia Advisory ID:20628 Related OSVDB ID: 26544 ISS X-Force ID: 27226 FrSIRT Advisory: ADV-2006-2381 CVE-2006-7049 Bugtraq ID: 18484