Vulnerabilities > CVE-2011-4451 - Unspecified vulnerability in Wikkawiki 1.3.1/1.3.2
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
D2sec
| name | WikkaWiki 1.3.1 SQL Injection |
| url | http://www.d2sec.com/exploits/wikkawiki_1.3.1_sql_injection.html |
Exploit-Db
| description | WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities. CVE-2011-4448,CVE-2011-4449,CVE-2011-4450,CVE-2011-4451,CVE-2011-4452. Webapps exploit for php pla... |
| id | EDB-ID:18177 |
| last seen | 2016-02-02 |
| modified | 2011-11-30 |
| published | 2011-11-30 |
| reporter | EgiX |
| source | https://www.exploit-db.com/download/18177/ |
| title | WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities |
Metasploit
| description | This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'. |
| id | MSF:EXPLOIT/MULTI/HTTP/WIKKA_SPAM_EXEC |
| last seen | 2020-06-04 |
| modified | 2017-09-08 |
| published | 2012-05-10 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4451 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wikka_spam_exec.rb |
| title | WikkaWiki 1.3.2 Spam Logging PHP Injection |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/107405/wikkawiki-sqlshellexec.txt |
| id | PACKETSTORM:107405 |
| last seen | 2016-12-05 |
| published | 2011-11-30 |
| reporter | EgiX |
| source | https://packetstormsecurity.com/files/107405/WikkaWiki-1.3.2-Code-Execution-Shell-Upload-SQL-Injection.html |
| title | WikkaWiki 1.3.2 Code Execution / Shell Upload / SQL Injection |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:24270 last seen 2017-11-19 modified 2011-12-01 published 2011-12-01 reporter Root source https://www.seebug.org/vuldb/ssvid-24270 title WikkaWiki <= 1.3.2 Multiple Security Vulnerabilities bulletinFamily exploit description No description provided by source. id SSV:72373 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72373 title WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities