Summary
This host is running LabWiki and is prone to multiple cross-site scripting and shell upload vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a user's browser session in context of affected website and to upload arbitrary PHP files with '.gif' extension.
Impact Level: Application
Solution
Update to version 1.2 or later,
For updates refer to http://www.bioinformatics.org/phplabware/labwiki/index.php
Insight
The flaws are due to an,
- Input passed to the 'from' parameter in index.php is not properly sanitised before being returned to the user.
- Input passed to the 'page_no' parameter in recentchanges.php is noti properly sanitised before being returned to the user.
- Input passed to the 'userfile' POST parameter in edit.php is not properly verified before being used to upload files.
Affected
LabWiki version 1.1 and prior.
References
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability
- Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
- Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Open For Business HTML injection vulnerability