Multiple vulnerabilities have been discovered in WikkaWiki 1.1.6.6, which can be exploited by malicious people to conduct SQL injection, cross-site request forgery, and cross-site scripting attacks.

CSRF:

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify requests to wikka.php. This can be exploited to manipulate site settings (e.g. modify user permissions) by enticing a logged in administrator to visit a malicious web page.

SQLi:

SQLi occurs where input to the "l", "sort", "d", "s", and "q" variables isn't properly sanitized before submission to the wikka.php script via AdminUsers and AdminPages. This may allow an attacker to inject or manipulate SQL queries in the backend database.

XSS:

XSS occurs where input to the "l", "sort", "d", "s", and "q" variables isn't properly sanitized before submission to the wikka.php script via AdminUsers and AdminPages. This can be exploited to insert arbitrary HTML and script code, which may be executed in a user's browser session in the context of an affected site if the malicious user class is viewed.

CVE-2009-pending

BID: 34528

FrSIRT: N/A

Nessus:N/A

OSVDB: 

SA: 34321  

XF: 

Related: 

Vendor Solution: