PmWiki <= 2.2.34 (pagelist.php) PHP Code Injection Vulnerability


PmWiki contains a vulnerability that allows a remote attacker to inject and execute arbitrary PHP code. The PageListSort() function defined in the scripts/pagelist.php script allows to inject arbitrary PHP code in a call to the create_function() PHP function via a crafted ‘order’ parameter of a pagelist directive.


Disclosure Date:

November 23, 2011