PmWiki Pagelist 'order' Parameter PHP Code Injection Vulnerability Network Vulnerability

Summary

The host is running PmWiki and is prone to PHP code injection vulnerability.

Impact

Successful exploitation will allow remote attackers to inject and execute arbitrary PHP code in the context of the affected application. Impact Level: Application

Solution

Upgrade to PmWiki version 2.2.35 or later, For updates refer to http://pmwiki.org/pub/pmwiki

Insight

The flaw is due to improper validation of user-supplied input via the 'order' argument of a pagelist directive within a PmWiki page, which allows attackers to execute arbitrary PHP code.

Affected

PmWiki versions 2.0.0 to 2.2.34

References

http://osvdb.org/show/osvdb/77261
http://secunia.com/advisories/46968
http://www.exploit-db.com/exploits/18149
http://www.pmwiki.org/wiki/PITS/01271
http://www.pmwiki.org/wiki/PmWiki/ChangeLog#v2235
http://www.securityfocus.com/archive/1/520631

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4453

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Artmedic Kleinanzeigen File Inclusion Vulnerability
Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
Arkeia Appliance Path Traversal Vulnerability

Take action and discover your vulnerabilities