| VID |
21983 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PmWiki program is vulnerable to multiple vulnerabilities via the 'pmwiki.php' script. PmWiki is a wiki-based system for collaborative creation and maintenance of websites. PmWiki versions prior to 2.1 beta 21 are vulnerable to multiple vulnerabilities, caused by improper validation of the $GLOBALS variable. These vulnerabilities include remote PHP file include, cross-site scripting, path disclosure, and other input-validation issues. A remote attacker who successfully exploited the most severe of these vulnerabilities could execute arbitrary code with victim's cookie-based authentication credentials on the affected host.
* References:
http://www.frsirt.com/english/advisories/2006/0375
http://securitytracker.com/id?1015550
http://secunia.com/advisories/18634
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0931.html
* Platforms Affected:
PmWiki versions prior to 2.1 beta 21
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PmWiki (2.1 beta 21 or later), available from the PmWiki Download Web site at http://www.pmwiki.com/wiki/PmWiki/Download
As a workaround, disable PHP's 'register_globals' settings. |
| Related URL |
CVE-2006-0479 (CVE) |
| Related URL |
16421 (SecurityFocus) |
| Related URL |
24367,24368,24366 (ISS) |
|
