Info

Disclosure

Jun 16, 2006

Discovery

Dec 16, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

WikkaWiki contains a flaw that allows a remote arbitrary page access. This flaw exists because the application does not use correctly the strstr() function within the Method() function upon submission to the wikka.php script. This could allow a user to create a specially crafted URL that would allow arbitrary page access leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.1.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

WikkaWiki

1.1.6.1

References

Bugtraq ID: 18484
CVE ID: 2006-7049 (see also: NVD)
Secunia Advisory ID: 20628
Related OSVDB ID: 26544
ISS X-Force ID: 27226
VUPEN Advisory: ADV-2006-2381
Vendor Specific News/Changelog Entry: http://wikkawiki.org/WikkaReleaseNotes
http://wush.net/trac/wikka/ticket/36

Credit

Philipp A. Hartmann -
Munehiro Yamakawa -

Direct URL: http://osvdb.org/26543