Arbitrary Web Script Execution via Default File Type Whitelist in DokuWiki Media Manager

CVE-2014-9253 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.

Learn more about our Web App Pen Testing.