Author: nickpj
Description:
This CURL command:
curl --silent --include \
--cookie 'wikidb_session=../../../../../../../etc/passwd ; select user_name
from user;'\
-F 'wpName'='XXX'\
-F 'wpPassword'='YYY'\
'192.168.0.64/wiki/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=small'
(Or like this for the Wikipedia, where errors are being logged so there won't be
anything in the HTML output):
curl --silent --include \
--cookie 'enwiki_session=../../../../../../../etc/passwd ; select user_name
from user;'\
-F 'wpName'='XXX'\
-F 'wpPassword'='YYY'\
'en.wikipedia.org/w/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=small'
Gives output that includes these PHP warnings at the end (on a current SVN wiki
with E_ALL enabled):
<br />
<b>Warning</b>: Unknown: The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/var/lib/php5) in
<b>Unknown</b> on line <b>0</b><br />
Online at http://nickj.org/MediaWiki as Parser51, althought actually a more
accurate name would be non-parser51 ;-) Not sure if this can be fixed, but
probably best to log it anyway.
Version: 1.7.x
Severity: minor
Platform: PC