<<< Date Index >>>     <<< Thread Index >>>

Wiki-how path disclosure



The search function of wikihow is vulnerable to path disclose when an array 
type is givin as a search parameter. 

Example: http://www.wikihow.com/Special:LSearch?search[]=pie&fulltext=Search
yields:
Warning: urlencode() expects parameter 1 to be string, array given in 
/var/www/html/wiki16/includes/SpecialLSearch.php on line 56

Warning: Illegal offset type in isset or empty in 
/var/www/html/wiki16/includes/Title.php on line 123

Warning: Illegal offset type in /var/www/html/wiki16/includes/Title.php on line 
146

Warning: urlencode() expects parameter 1 to be string, array given in 
/var/www/html/wiki16/includes/SpecialLSearch.php on line 124

Warning: htmlspecialchars() expects parameter 1 to be string, array given in 
/var/www/html/wiki16/skins/WikiHowSkin.php on line 1468

Also, when an array is given as a search type, the function Fatal error: Call 
to a member function getArticleID() yields another path disclose as seen here: 
http://www.wikihow.com/Special:LSearch?search=%5B%5D&fulltext=Search

Fatal error: Call to a member function getArticleID() on a non-object in 
/var/www/html/wiki16/includes/SpecialLSearch.php on line 91

It is not known at this time if other wiki systems are vulnerable to the same 
thing. If it is, drop me a line.