vendor:
Wysi Wiki Wyg
by:
StAkeR
7.5
CVSS
HIGH
PHPInfo Disclosure, Local File Inclusion (LFI), Cross Site Scripting (XSS)
200 (Information Exposure), 94 (Improper Control of Generation of Code), 79 (Improper Neutralization of Input During Web Page Generation)
CWE
Product Name: Wysi Wiki Wyg
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:wysiwikiwyg:wysiwikiwyg:1.0
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Wysi Wiki Wyg 1.0 (LFI,XSS,PHPInfo) Remote Vulnerabilities
Wysi Wiki Wyg 1.0 is vulnerable to PHPInfo Disclosure, Local File Inclusion (LFI) and Cross Site Scripting (XSS). An attacker can exploit these vulnerabilities by sending a crafted request to the vulnerable application. For PHPInfo Disclosure, an attacker can send a request to index.php?categup=isset. For Local File Inclusion (LFI), an attacker can send a request to index.php?c=../../../&a=etc/passwd%00. For Cross Site Scripting (XSS), an attacker can send a request to index.php?c=wikiwizi&a=recherche&s=<script>[Javascript]</script>.
Mitigation:
Developers should ensure that user input is properly sanitized and validated before being used in the application. Input validation should be applied on both client-side and server-side. Developers should also ensure that the application is not vulnerable to any other type of injection attacks.
