Sql injection in Tikiwiki

["Omid" <omid@xxxxxxxxxx>]

Hi,
There are 2 sql injections in Tikiwiki 1.9.4 (and maybe before versions) :

I) There is a call to "get_process()" function in "tiki-g-admin_processes.php"
file, without checking "pid" parameter :

File /tiki-g-admin_processes.php, Line 35 :
:: $info = $processManager->get_process($_REQUEST["pid"]);

Lets take a look at the "get_process()" function :
File /lib/Galaxia/src/ProcessManager/ProcessManager.php, Line 419 :
::  function get_process($pId)
::  {
>>    $query = "select * from ".GALAXIA_TABLE_PREFIX."processes where pId=$pId";
::    $result = $this->query($query);
::    if(!$result->numRows()) return false;
::    $res = $result->fetchRow();
::    return $res;
::  }


II) The "where" parameter in "tiki-g-admin_processes.php" file, is not
checked properly :

File /tiki-g-admin_processes.php, Line 155 :
:: if (isset($_REQUEST['where'])) {
>>      $where = $_REQUEST['where'];
:: }

File /tiki-g-admin_processes.php, Line 183 :
:: $items = $processManager->list_processes($offset, $maxRecords, $sort_mode, 
$find, $where);

File /lib/Galaxia/src/ProcessManager/ProcessManager.php, Line 442 :
::    if($where) {
::      if($mid) {
::        $mid.= " and ($where) ";
::      } else {
>>        $mid.= " where ($where) ";
::      }
::    }
>>    $query = "select * from ".GALAXIA_TABLE_PREFIX."processes $mid order by 
>> $sort_mode";
::    $query_cant = "select count(*) from ".GALAXIA_TABLE_PREFIX."processes 
$mid";
::    $result = $this->query($query,$bindvars,$maxRecords,$offset);

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/tikiwiki.html


- Omid