This Metasploit module exploits a file upload vulnerability in Tiki Wiki versions 15.1 and below which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The issue comes with one of the 3rd party components. Name of that components is ELFinder -version 2.0-. This components comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.
f88afc6f681b7accefabd167d71cdc67a68314ed8f27fa9389816223e5aa4fb6
Secunia Security Advisory - A vulnerability has been discovered in the Halo extension for Semantic MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.
43b4095cf6075f045a4a76bc255ef4b7e9d436f6fa786a57f34ca87ce11663b2
RabbitWiki suffers from a cross site scripting vulnerability.
26dd268bf32582bf13d46198cbec95081c9bdfc20d056a0f58226f8737ee29d3
ProWiki suffers from a cross site scripting vulnerability.
d60aa738c24e63904bdff955209aa790dbb4e3c2aea9eb067f3329024a86c6b0
PicoWiki suffers from a cross site scripting vulnerability.
2db3290ae0be6fa125ed88ed8f0318a1dc8e786e0e2969c2f3a3f06b127a64c6
SeedWiki suffers from a cross site scripting vulnerability.
1a12cad44e82e05238c838bcf67770785d828dbd08995a67cc6ea5e172658144
Brainkeeper Enterprise Wiki suffers from a cross site scripting vulnerability.
7b8b5eac1b2aedafb23a81945c6fcdbc804b7457d6c2c26bede2f8baa1281d50
Secunia Security Advisory - Sony has discovered two vulnerabilities in XWiki Enterprise, which can be exploited by malicious users to conduct script insertion attacks.
6f7989f4e88135641212ffca3a37ad5e24d10b52ee50d373576a67805eab964c
Secunia Security Advisory - flyh4t has discovered a vulnerability in HDWiki, which can be exploited by malicious users to conduct SQL injection attacks.
f8c0f70f07d5c26d7b87217eca0b503b70c4268e31a6dec8ae5d5ca5fd4396a2
XWiki Enterprise version 3.4 suffers from a cross site scripting vulnerability.
488e3e2f9cda2bffc248f4417be270c003838d7fd6841f9ce325effa416744da
Secunia Security Advisory - Sony has discovered multiple vulnerabilities in Foswiki, which can be exploited by malicious users to conduct script insertion attacks.
0d9110fd69486bd4612d2eae4a48b3876fb0090f3919382f18726088fb3f1374
Foswiki suffers from a cross site scripting vulnerability.
6be24141745459eeaf32cb631743a60b84dd0d2249f8beb4e3273f5e3033b9b9
Secunia Security Advisory - Sony has discovered a vulnerability in TWiki, which can be exploited by malicious people to conduct script insertion attacks.
f64cc8adc1dddbce55ccae27b4066d9b7aeebdbc4890ed6fe0fa4c6898bb6d21
TWiki suffers from a cross site scripting vulnerability.
20fa13f95c0cbab3ce12b40327deb0594b221c8360e43b8dd5b2b43d7b2db51d
Secunia Security Advisory - A weakness has been reported in MediaWiki, which can be exploited by malicious users to disclose certain sensitive information.
775da8d69140823f05f851b25f94ae135fa84e56bc37098a1c3886382e4116ae
Secunia Security Advisory - A vulnerability has been reported in PukiWiki Plus!, which can be exploited by malicious people to conduct cross-site scripting attacks.
d3251d2dd93f7148e18669fa0f35664c23a19f47f3f77f5da4bda745d0c660c5
Secunia Security Advisory - A vulnerability has been discovered in Tiki Wiki CMS/Groupware, which can be exploited by malicious people to conduct cross-site request forgery attacks.
e09495fbd2214dc75e8da3a79c84401071d4d268c8ea782bfef8dab078f6929c
This Metasploit module exploits an arbitrary command execution vulnerability in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is inside /scripts/pagelist.php.
2a414aa71e3429752f31a3f9f0ad17a08f3c3d290b612cfb08bbb15b1b14dea3
Tiki Wiki CMS Groupware versions 8.2 and below suffer from a remote PHP code injection vulnerability in snarf_ajax.php.
b7307f459df54b9ed0978af284f064b18dafbeb2458c69e4c3625d1e42e39172
Secunia Security Advisory - A vulnerability has been reported in Tiki Wiki CMS, which can be exploited by malicious people to conduct cross-site scripting attacks.
b60d739dacc7880ef2608db103dbc6c1bbc60678d809f8157fd60833ad8e3f67
Tiki Wiki CMS Groupware versions 8.1 and 6.4 LTS suffer from a stored cross site scripting vulnerability.
b6a4a107433a40e17f0035aef8bc745879ef539726e9eb3576090bc83cbb1b15
Secunia Security Advisory - Debian has issued an update for mediawiki. This fixes a weakness and multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, and bypass certain security restrictions.
19d04293fa172c609b1fa9c165afe59e14983b067a3ff7c42c5c465988b865d1
Debian Linux Security Advisory 2366-1 - Several problems have been discovered in mediawiki, a website engine for collaborative work.
ccb031f863a8654a0610e5409cb9c19e529fd52f0871028b9a316b81212caeb2
Secunia Security Advisory - A weakness and multiple vulnerabilities have been discovered in WikkaWiki, which can be exploited by malicious users to manipulate certain data, conduct SQL injection attacks, and compromise a vulnerable system and by malicious people to disclose potentially sensitive information, conduct cross-site request forgery attacks, and compromise a vulnerable system.
e5a93194dfc6194724e47228d93b5a78e44361852c00364d72ab21a05d0ceec5
WikkaWiki versions 1.3.2 and below suffers from remote SQL injection, unrestricted file upload, arbitrary file download, arbitrary file deletion, remote code execution and cross site request forgery vulnerabilities.
f5f16ff3f59901b3991fb94563c0b39bd9eee2fd825e6f8c81aec203ea470e7a
Secunia Security Advisory - A weakness has been discovered in MediaWiki, which can be exploited by malicious people to disclose potentially sensitive information.
eab1460e815df3c81f3c05efeb5772a907419c9eebc789c0167750eafd35051d