WikkaWiki Multiple Security Vulnerabilities

Bugtraq ID:	50866
Class:	Unknown
CVE:	CVE-2011-4448 CVE-2011-4449 CVE-2011-4450 CVE-2011-4451
Remote:	Yes
Local:	No
Published:	Nov 30 2011 12:00AM
Updated:	May 14 2012 11:20AM
Credit:	Egidio Romano aka EgiX
Vulnerable:	WikkaWiki WikkaWiki 1.3.2 WikkaWiki WikkaWiki 1.1.6 .2 WikkaWiki WikkaWiki 1.1.6 .1 WikkaWiki WikkaWiki 1.1.6 .0 WikkaWiki WikkaWiki 1.1.6.6 WikkaWiki WikkaWiki 1.1.6.5 WikkaWiki WikkaWiki 1.1.6.3
Not Vulnerable:	WikkaWiki WikkaWiki 1.3.2-p7

WikkaWiki Multiple Security Vulnerabilities

WikkaWiki is prone to multiple security vulnerabilities, including:

1. An SQL injection vulnerability.
2. An arbitrary file upload vulnerability.
3. An arbitrary file deletion vulnerability.
4. An arbitrary file download vulnerability.
5. A PHP code injection vulnerability.

Attackers can exploit these issues to modify the logic of SQL queries; upload, delete, or download arbitrary files; or inject and execute arbitrary PHP code in the context of the affected application. Other attacks may also be possible.

WikkaWiki 1.3.2 and prior versions are vulnerable.

WikkaWiki Multiple Security Vulnerabilities

An attacker can use a browser to exploit these issues. In some cases, the attacker entices an unsuspecting user to follow a malicious URI.

The following exploits are available:

• /data/vulnerabilities/exploits/50866.txt
• /data/vulnerabilities/exploits/50866.rb

WikkaWiki Multiple Security Vulnerabilities

Solution:
Updates are available. Please see the reference for more details.

WikkaWiki Multiple Security Vulnerabilities

References:

• Security updates for 1.3.1/1.3.2 (WikkaWiki)
  
• WikkaWiki Homepage (WikkaWiki)
  
• WikkaWiki <= 1.3.2 Multiple Security Vulnerabilities ([email protected])