[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070120230219.19832.qmail@securityfocus.com>
Date: 20 Jan 2007 23:02:19 -0000
From: iamtheevil1@...il.com
To: bugtraq@...urityfocus.com
Subject: Wiki-how path disclosure
The search function of wikihow is vulnerable to path disclose when an array type is givin as a search parameter.
Example: http://www.wikihow.com/Special:LSearch?search[]=pie&fulltext=Search
yields:
Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 56
Warning: Illegal offset type in isset or empty in /var/www/html/wiki16/includes/Title.php on line 123
Warning: Illegal offset type in /var/www/html/wiki16/includes/Title.php on line 146
Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 124
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /var/www/html/wiki16/skins/WikiHowSkin.php on line 1468
Also, when an array is given as a search type, the function Fatal error: Call to a member function getArticleID() yields another path disclose as seen here: http://www.wikihow.com/Special:LSearch?search=%5B%5D&fulltext=Search
Fatal error: Call to a member function getArticleID() on a non-object in /var/www/html/wiki16/includes/SpecialLSearch.php on line 91
It is not known at this time if other wiki systems are vulnerable to the same thing. If it is, drop me a line.
Powered by blists - more mailing lists