WikkaWiki <= 1.3.2 (files.php) Unrestricted File Upload Vulnerability

Description:

WikkaWiki contains a flaw that allows a remote user to execute arbitrary PHP code due to the actions/files/files.php script not properly verify user-uploaded files. When INTRANET_MODE is enabled, supports file uploads for file extensions that are typically absent from an Apache HTTP Server TypesConfig file, which makes it easier for remote attackers to execute arbitrary PHP code by placing this code in a file with multiple extensions.

References:

• CVE-2011-4449
• BID-50866
• EDB-18177
• http://blog.wikkawiki.org/2011/12/04/security-updates-for-1-3-11-3-2/

Disclosure Date:

November 30, 2011