WikkaWiki <= 1.3.2 (libs/Wakka.class.php) PHP Code Injection Vulnerability


WikkaWiki contains a flaw that allows a remote user to execute arbitrary PHP code. The flaw is due to the libs/Wakka.class.php script. When the ‘spam_logging’ option is enabled, a remote attackers might be able to write arbitrary PHP code to the ‘spamlog_path’ file via the User-Agent HTTP header in an addcomment request.


Disclosure Date:

November 30, 2011