header-logo
Suggest Exploit
vendor:
Qwiki
by:
Unknown
5.5
CVSS
MEDIUM
Path Traversal
22
CWE
Product Name: Qwiki
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2005

Path Traversal in Qwiki

The exploit allows an attacker to access sensitive files on the server by manipulating the page parameter in the URL. By appending %00 to the parameter, the attacker can bypass the file extension check and traverse to the root directory. In this specific case, the attacker is trying to access the _config.php file.

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user input for file paths. Additionally, ensure that the web application runs with the least privileges necessary.
Source

Exploit-DB raw data:

REQUEST:
http://[SERVER]/qwiki/index.php?page=../_config.php%00

# milw0rm.com [2005-01-04]

Navigation

Suggest Exploit

Services By CQR