Ticket #36 (closed defect: fixed)

Opened 5 years ago

Last modified 3 years ago

Security issue with the Method() method

Reported by: PhilippAHartmann Owned by: PhilippAHartmann
Priority: highest Milestone: 1.1.6.2
Component: core Version: 1.1.6.0
Severity: major Keywords:
Cc:

Description

Bug reported on the Wikka website by PhilippAHartmann and MunehiroYamakawa.

There's a bug in the Method()-method in wikka.php. The calls to strstr() and strrpos() have a wrong order of arguments. I think, it can be a security issue, since we have access to arbitrary .php-files on the server. Even user-uploaded ones...

Patch suggested at:  http://wikka.jsnx.com/WikkaBugs#hn_Problem_with_handlers

Change History

Changed 5 years ago by dartar

  • status changed from new to resolved
  • resolution set to fixed

Patch uploaded -- See [11]

Changed 5 years ago by dartar

  • owner changed from unassigned to PhilippAHartmann
  • status changed from resolved to verified

Changed 5 years ago by dartar

  • status changed from verified to closed

Changed 5 years ago by dartar

  • milestone changed from 1.1.6.1 to 1.1.6.2

Changed 3 years ago by JavaWoman

  • status changed from reopened to closed
  • resolution set to fixed

Seems to have been reopened by spam removal; closing again...

Note: See TracTickets for help on using tickets.