CVE-2011-4451 - Vulnerability Details - OpenCVE

libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wikkawiki	Wikkawiki

Configuration 1 [-]

OR	cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:::::::*
	cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:::::::*

No data.

References

Link	Providers
http://wush.net/trac/wikka/ticket/1098

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-09-05T20:00:00Z

Updated: 2024-09-16T20:52:22.310Z

Reserved: 2011-11-15T00:00:00Z

Link: CVE-2011-4451

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-09-05T20:55:01.240

Modified: 2024-11-21T01:32:23.017

Link: CVE-2011-4451

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-09-05T20:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://wush.net/trac/wikka/ticket/1098"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-4451", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://wush.net/trac/wikka/ticket/1098", "refsource": "MISC", "url": "http://wush.net/trac/wikka/ticket/1098"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T00:09:18.370Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://wush.net/trac/wikka/ticket/1098"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-4451", "datePublished": "2012-09-05T20:00:00Z", "dateReserved": "2011-11-15T00:00:00Z", "dateUpdated": "2024-09-16T20:52:22.310Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "63F5FD8C-02BB-4208-AEF8-11797376DA23", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C44D576A-77E7-4E70-9E17-41E96A9A4A2A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter"}, {"lang": "es", "value": "** EN DISPUTA ** libs/Wakka.class.php en WikkaWiki v1.3.1 y v1.3.2, cuando la opci\u00f3n spam_logging est\u00e1 activada, permite a atacantes remotos para escribir c\u00f3digo PHP arbitrario en el archivo spamlog_path a trav\u00e9s de la cabecera User-Agent en un addComment petici\u00f3n. NOTA: el vendedor se opone a esta cuesti\u00f3n, porque nunca la prestaci\u00f3n del archivo spamlog_path utiliza el int\u00e9rprete de PHP."}], "id": "CVE-2011-4451", "lastModified": "2024-11-21T01:32:23.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-09-05T20:55:01.240", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://wush.net/trac/wikka/ticket/1098"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://wush.net/trac/wikka/ticket/1098"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}