Vulnerability CVE-2011-4449
Published: 2012-09-05   Modified: 2012-09-06

Description:
actions/files/files.php in WikkaWiki 1.3.1 and 1.3.2, when INTRANET_MODE is enabled, supports file uploads for file extensions that are typically absent from an Apache HTTP Server TypesConfig file, which makes it easier for remote attackers to execute arbitrary PHP code by placing this code in a file whose name has multiple extensions, as demonstrated by a (1) .mm or (2) .vpp file.

See advisories in our WLB2 database:
Topic
Author
Date
Low
WikkaWiki 1.3.2 Spam Logging PHP Injection
sinn3r
12.05.2012

Type:

CWE-noinfo

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Wikkawiki -> Wikkawiki 

 References:
http://wush.net/trac/wikka/changeset/1822
http://wush.net/trac/wikka/ticket/1097
Copyright 2024, cxsecurity.com

 

Back to Top