Security Advisory: Multiple security issues in TikiWiki 1.9.x

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)
  [SA17537] Dev-Editor Virtual Root Directory Restriction Bypass
  [SA17470] OcoMon Unspecified SQL Injection Vulnerabilities
  [Full-disclosure] phpBB 2.0.18 SQL Query problem
  [SA17441] phpSysInfo "register_global
s" Emulation Layer Overwrite Vulnerability

From: Moritz Naumann <securityfocus.com_(at)_moritz-naumann.com>
Date: 10.11.2005
Subject: Multiple security issues in TikiWiki 1.9.x

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0003

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++    Multiple security issues in TikiWiki 1.9.x     +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
Nov 09, 2005

PUBLISHED AT
http://moritz-naumann.com/adv/0003/tikiw/0003.txt
http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig

PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/

info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
TikiWiki
http://tikiwiki.org/

AFFECTED VERSION
1.9.x up to and including 1.9.2
Possibly versions < 1.9 (untested)

BACKGROUND
"Tikiwiki is a full featured Free Software (GNU/LGPL)
Wiki/CMS/Groupware written in PHP and maintained by an
active and international community of benevolent
contributors."

ISSUE 1 (XSS)
A XSS vulnerability has been detected in the fora code
of TikiWiki. The problem is caused by insufficient input
sanitation.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.
php?forumId=1&comments_parentId=0&topics_offset=10%22%20onmouseov
er='javascript:alert(document.
title)%3B'%3E[PLEASE%20MOVE%20YOUR%20MOUSE%20POIN
TER%20HERE!]%20%3Cx%20y=%22

Please move your mouse pointer over the input field
which says so.

ISSUE 2 (Information Disclosure, possible SQL injection)

The application discloses the installation path. This
*may* also be useable to craft an SQL injection.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.
php?forumId=1&comments_parentId=0&topics_sort_mode=FOOBAH

WORKAROUND
Issue 1: Disable Javascript (client) or deny access to
TikiWiki (server).
Issue 2: Set PHP to log errors to file only (issue 2).

SOLUTIONS
We are not aware of a maintainer provided fix.

TIMELINE
Oct 6, 2005: Maintainer informed
Oct 6, 2005: First maintainer reply
Oct 14, 2005: Request for additional information sent
   to maintainer
[in between]: issues fixed on maintainer website
Nov 09, 2005: Public disclosure

REFERENCES
Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528
Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcieHn6GkvSd/BgwRAvmjAJ0bAOZ/wvtJ6cxo0I6qbq09kMl8MgCZAYwp
g/uC6sZOj1V9DCXo8XdOv3U=
=IJXk
-----END PGP SIGNATURE-----