Security Advisory: WikiWebWeaver 1.1 beta Upload Shell Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  WebDirector XSS vuln.
  PHP-Nuke (ALL versions) Multiple XSS and HTML injection
  Mambo 4.6.2 CMS - Session fixation Issue in backend Administration interface
  [Full-disclosure] *****SPAM***** New Wordpress 2.2.1 Vulnerabilities and the First Weblog XSS Worm

From: yollubunlar_(at)_yollubunlar.org <yollubunlar_(at)_yollubunlar.org>
Date: 01.08.2007
Subject: WikiWebWeaver 1.1 beta Upload Shell Vulnerability

Yollubunlar.Org
--------------------------------------------------------------------------------

Title : WikiWebWeaver 1.1 beta Upload Shell Upload Vulnerability

--------------------------------------------------------------------------------

#Author: Yollubunlar.Org

#cont@ct: yollubunlar@hotmail.com

--------------------------------------------------------------------------------

Affected software description :
--------------------------------------------------------------------------------

Application : WikiWebWeaver 1.1

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Exploit:

WikiWebWeaver 1.0 beta 2 Script Have Upload part and you can upload only gif,jpeg lol :D

but you can upload gif.php or psd.php

http://www.site.com/wiki_path/index.php?upload

we upload a .gif.php or others than our shell go

http://www.site.com/wiki_path/data/documents/ourshell.gif.php :)

--------------------------------------------------------------------------------

greets:Yollubunlar.Org

--------------------------------------------------------------------------------

--------------------------------- [Yollubunlar.Org ] --------------------------------------

test server