CVE-2011-4450

Name of the Vulnerable Software and Affected Versions WikkaWiki versions 1.3.1 through 1.3.2

Description The issue allows remote attackers to read or delete arbitrary files via a non-initial .. (dot dot) in the file parameter. This can be demonstrated by using the /../../wikka.config.php pathname in a download action.

Recommendations For versions 1.3.1 and 1.3.2, consider restricting access to the files.xml.php handler to minimize the risk of exploitation. As a temporary workaround, avoid using the file parameter in the download action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.