WikkaWiki <= 1.3.2 (libs/Wakka.class.php) PHP Code Injection Vulnerability

Description:

WikkaWiki contains a flaw that allows a remote user to execute arbitrary PHP code. The flaw is due to the libs/Wakka.class.php script. When the ‘spam_logging’ option is enabled, a remote attackers might be able to write arbitrary PHP code to the ‘spamlog_path’ file via the User-Agent HTTP header in an addcomment request.

References:

• CVE-2011-4451
• BID-50866
• EDB-18177
• http://blog.wikkawiki.org/2011/12/04/security-updates-for-1-3-11-3-2/

Disclosure Date:

November 30, 2011