ID CVE-2004-1928 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:31:00
Description
The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL.
{"osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "description": "## Vulnerability Description\nTikiWiki contains a flaw that may allow a remote attacker to upload arbitrary files to the system. The issue is due to the \"wiki_up\" function not sanitizing or restricting what type of files are uploaded. If an attacker uploads a specially crafted script, they may be able to execute it and leverage additional privileges.\n## Solution Description\nUpgrade to version 1.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nTikiWiki contains a flaw that may allow a remote attacker to upload arbitrary files to the system. The issue is due to the \"wiki_up\" function not sanitizing or restricting what type of files are uploaded. If an attacker uploads a specially crafted script, they may be able to execute it and leverage additional privileges.\n## Manual Testing Notes\nhttp://[victim]/img/wiki_up/[arbitrary_file]\n## References:\nVendor URL: http://www.tikiwiki.org/\nVendor URL: http://freshmeat.net/projects/tiki/\n[Vendor Specific Advisory URL](http://tikiwiki.org/tiki-read_article.php?articleId=66)\n[Secunia Advisory ID:11344](https://secuniaresearch.flexerasoftware.com/advisories/11344/)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00037-04112004\nISS X-Force ID: 15849\n[CVE-2004-1928](https://vulners.com/cve/CVE-2004-1928)\nBugtraq ID: 10100\n", "modified": "2004-04-11T14:03:29", "published": "2004-04-11T14:03:29", "href": "https://vulners.com/osvdb/OSVDB:5182", "id": "OSVDB:5182", "title": "TikiWiki wiki_up Arbitrary File Upload", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T22:10:17", "bulletinFamily": "exploit", "description": "TikiWiki Project 1.8 img/wiki_up Arbitrary File Upload. CVE-2004-1928. Webapps exploit for php platform", "modified": "2004-04-12T00:00:00", "published": "2004-04-12T00:00:00", "id": "EDB-ID:23948", "href": "https://www.exploit-db.com/exploits/23948/", "type": "exploitdb", "title": "TikiWiki Project 1.8 img/wiki_up Arbitrary File Upload", "sourceData": "source: http://www.securityfocus.com/bid/10100/info\r\n \r\nMultiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.\r\n\r\nhttp://www.example.com/img/wiki_up/filenamehere", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23948/"}, {"lastseen": "2018-01-24T14:28:03", "bulletinFamily": "exploit", "description": "TikiWiki < 1.8.1 - Multiple Vulnerabilities. CVE-2004-1923,CVE-2004-1924,CVE-2004-1925,CVE-2004-1926,CVE-2004-1927,CVE-2004-1928. Webapps exploit for PHP ...", "modified": "2004-04-11T00:00:00", "published": "2004-04-11T00:00:00", "id": "EDB-ID:43809", "href": "https://www.exploit-db.com/exploits/43809/", "type": "exploitdb", "title": "TikiWiki < 1.8.1 - Multiple Vulnerabilities", "sourceData": "TikiWiki Multiple Vulnerabilities\r\n\r\nVendor: TikiWiki Project\r\nProduct: TikiWiki\r\nVersion: <= 1.8.1\r\nWebsite: http://www.tikiwiki.org/\r\n\r\nBID: 10100 \r\nCVE: CVE-2004-1923 CVE-2004-1924 CVE-2004-1925 CVE-2004-1926 CVE-2004-1927 CVE-2004-1928 \r\nOSVDB: 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 520 \r\nSECUNIA: 11344 \r\nPACKETSTORM: 33062 \r\n\r\nDescription:\r\nTiki CMS/Groupware (aka TikiWiki) is a powerful open-source Content Management System (CMS) and Groupware that can be used to create all sorts of Web applications, Sites, Portals, Intranets and Extranets. TikiWiki also works great as a Web-based collaboration tool. TikiWiki is a multi-purpose package with a lot of native options and sections that you can enable/disable as you need them. It is designed to be international, clean and extensible. TikiWiki incorporates all the features present in several excellent wiki systems available today plus a lot of new features and options, allowing your wiki application to be whatever you want it to be--from a simple wiki to a complex site for a whole user community with many intermediate steps. You can use TikiWiki as a forums site, a chatroom, for poll taking, and much more! \r\n\r\nPath Disclosure Vulnerabilities:\r\nThere are several ways to discover the full physical path of the web directory on a server running TikiWiki. One way is by calling some files directly with a null or non-existent value as seen below. \r\n\r\nbanner_click.php\r\ncategorize.php\r\ntiki-admin_include_directory.php\r\ntiki-directory_search.php \r\n\r\nSome files specifically prevent this by checking to see if they are called directly. I am not sure why more of the TikiWiki files do not use the same preventive measure. Also, just about anywhere that there is potential for SQL tampering (read about that later) you can leave the value null, and generate an error that will disclose the full physical path of the web server. Below are a handful of examples, but surely it is not all of them. The rest of this write up will use the following key when displaying example URL's \r\n\r\n[INT] = Pretty much any integer will do\r\n[VID] = Requires some sort of valid ID\r\n[VPG] = The name of a valid page/user page\r\n[JNK] = Just some random garbage\r\n[SQL] = An evil SQL query ;)\r\n[XSS] = Some code to cause XSS to happen \r\n\r\ntiki-searchindex.php?highlight=[JNK]\r\nmessu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=\r\nmessu-read.php?offset=[INT]&flag=&priority=&flagval=\r\nmessu-read.php?offset=[INT]&flag=&priority=\r\nmessu-read.php?offset=[INT]&flag=\r\nmessu-read.php?offset=\r\ntiki-list_file_gallery.php?find=&galleryId=1&offset=[INT]&sort_mode=\r\ntiki-usermenu.php?find=&offset=\r\ntiki-usermenu.php?find=&offset=[INT]&sort_mode=\r\ntiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=\r\ntiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=\r\ntiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_maxComments=\r\ntiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=priority_desc&find=[JNK]\r\ntiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=\r\ntiki-directory_ranking.php?sort_mode=\r\ntiki-file_galleries.php?find=&search=find&sort_mode=\r\ntiki-list_faqs.php?find=&offset=[INT]&sort_mode=\r\ntiki-list_faqs.php?find=&offset=\r\ntiki-list_trackers.php?find=&offset=[INT]&sort_mode=\r\ntiki-list_trackers.php?find=&offset= \r\n\r\nCross Site Scripting:\r\nThere also happens to be a great number of places XSS (cross site scripting) can take place on a TikiWiki powered site. Below are a number of examples, but it is far from all of them. TikiWiki is a VERY large collection of files and it would be a waste of time to go through and find/list every one of them :) \r\n\r\ntiki-switch_theme.php?theme=[XSS]\r\nmessu-mailbox.php?flags=&priority=&find=[XSS]\r\nmessu-mailbox.php?flags=&priority=[XSS]\r\nmessu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=date_desc&find=[XSS]\r\nmessu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=[XSS]\r\nmessu-read.php?offset=[INT]&flag=&priority=&flagval=[XSS]\r\nmessu-read.php?offset=[INT]&flag=&priority=[XSS]\r\nmessu-read.php?offset=[INT]&flag=[XSS]\r\nmessu-read.php?offset=[XSS]\r\ntiki-read_article.php?articleId=[VID][XSS]\r\ntiki-browse_categories.php?find=&deep=off&parentId=[VID][XSS]\r\ntiki-index.php?page=[VPG]&comments_threshold=[INT][XSS]\r\ntiki-print_article.php?articleId=[VID][XSS]\r\ntiki-list_file_gallery.php?galleryId=[VID][XSS]\r\ntiki-upload_file.php?galleryId=[VID][XSS]\r\ntiki-view_faq.php?faqId=[VID][XSS]\r\ntiki-view_chart.php?chartId=[VID][XSS]\r\ntiki-survey_stats_survey.php?surveyId=[VID][XSS] \r\n\r\nSQL Injection Vulnerabilities:\r\nData seems to be passed into a query with little or no validation just about anywhere you encounter the *sort_mode or offset variable. It should be noted though that the offset variable takes place after the LIMIT statement, so the risk isn't very high as compared to data being passed earlier in the query. It still should be addressed though. Below are some examples. Once again keep in mind that this is not ALL instances of the *sort_mode or offset problems. \r\n\r\ntiki-usermenu.php?find=&offset=[INT]&sort_mode=[SQL]\r\ntiki-list_file_gallery.php?find=&galleryId=[VID]&offset=[INT]&sort_mode=[SQL]\r\ntiki-directory_ranking.php?sort_mode=[SQL]\r\ntiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=[SQL]\r\ntiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_sort_mode=[SQL]\r\ntiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=[SQL]\r\ntiki-directory_ranking.php?sort_mode=[SQL]\r\ntiki-directory_search.php?how=or&words=&where=all&sort_mode=[SQL]\r\ntiki-file_galleries.php?find=&search=find&sort_mode=[SQL]\r\ntiki-list_faqs.php?find=&offset=[INT]&sort_mode=[SQL]\r\ntiki-list_trackers.php?find=&offset=[INT]&sort_mode=[SQL]\r\ntiki-list_blogs.php?find=&offset=[INT]&sort_mode=[SQL]\r\ntiki-usermenu.php?find=&offset=[SQL]\r\ntiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[SQL]\r\ntiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[SQL]\r\ntiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[SQL]\r\ntiki-list_faqs.php?find=&offset=[SQL]\r\ntiki-list_trackers.php?find=&offset=[SQL]\r\ntiki-list_blogs.php?find=&offset=[SQL] \r\n\r\nCode Injection:\r\nIt is possible for a malicious user to inject code into several places on a TikiWiki powered site including, but not limited to the link directory and the user profile. Below are examples of my findings, but I am pretty sure they also exist elsewhere \r\n\r\nUser Profile > Theme\r\nUser Profile > Country Field\r\nUser Profile > Real Name\r\nUser Profile > Displayed time zone\r\nDirectory > Add Site > Name\r\nDirectory > Add Site > Description\r\nDirectory > Add Site > URL\r\nDirectory > Add Site > Country \r\n\r\nRemote File/Dir Enumeration Via Traversal:\r\nThis issue deals with the map feature TikiWiki uses. If you are using a version prior to 1.8 or if you have not enabled the map feature this probably does not affect you. The map feature calls a .map file to display whatever map a user would like to view, but the problem with this is that it allows you to traverse out of the web directory and call files elsewhere on the box. While this does not allow you to say pull up a file for viewing or download, it will allow you to confirm the existence of both files and directories on the affected box. Below is an example. \r\n\r\n/tiki-map.phtml?mapfile=../../../../var/ \r\n\r\nI have also coded a small quick and dirty utility to automate the process of enumerating the existence of files on a machine running TikiWiki 1.8 with the map feature enabled. The utility can be found at the following location. \r\n\r\nTikiWiki POC File Existance Enumeration Utility \r\n\r\nArbitrary File Upload:\r\nIt is possible to upload arbitrary files to a TikiWiki installation by including it in the image upload feature when creating your TikiWiki user page. The file then will be located here. \r\n\r\nhttp://host/img/wiki_up/filenamehere \r\n\r\nIt should be pretty obvious that this will let an attacker upload arbitrary scripts and run commands with the rights of the webserver. This could be very dangerous. \r\n\r\nSolution:\r\nThe TikiWiki Devel team have addressed these issues, and updates are available at their official website. I was VERY impressed with the way these guys handled the situation. Due to the size of the project, and the way some of these issues spanned across seemingly hundreds of files there was a great amount of work to be done. In some cases a dev team would have just addressed the critical issues and left the small issues like path disclosure for the next official release. These guys though took EVERY issue very seriously and assembled a security response team, and very organized response method for these issues and future issues. I do not think any researcher could ask for a better response from a vendor. They were friendly, professional, prompt, and serious. Hats off to them, and TikiWiki users should know they are in good hands, as these guys are a young project and already take security issues more seriously than alot of the big name open source projects out there :) \r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43809/"}], "openvas": [{"lastseen": "2019-05-29T18:31:57", "bulletinFamily": "scanner", "description": "The remote host is running Tiki Wiki CMS Groupware, a content management system written\n in PHP.\n\n The remote version of this software is vulnerable to multiple vulnerabilities\n which have been identified in various modules of the application.", "modified": "2019-03-04T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231014364", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014364", "title": "Tiki Wiki CMS Groupware multiple input validation vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: tikiwiki_multiple_input_flaws.nasl 13975 2019-03-04 09:32:08Z cfischer $\n#\n# Tiki Wiki CMS Groupware multiple input validation vulnerabilities\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# Ref: JeiAr <security@gulftech.org>\n\nCPE = \"cpe:/a:tiki:tikiwiki_cms/groupware\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14364\");\n script_version(\"$Revision: 13975 $\");\n script_cve_id(\"CVE-2004-1923\", \"CVE-2004-1924\", \"CVE-2004-1925\",\n \"CVE-2004-1926\", \"CVE-2004-1927\", \"CVE-2004-1928\");\n script_bugtraq_id(10100);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-04 10:32:08 +0100 (Mon, 04 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_name(\"Tiki Wiki CMS Groupware multiple input validation vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_tikiwiki_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"TikiWiki/installed\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Tiki Wiki CMS Groupware 1.8.2 or newer\");\n\n script_tag(name:\"impact\", value:\"These vulnerabilities may allow a remote attacker to carry out various attacks\n such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.\");\n\n script_tag(name:\"summary\", value:\"The remote host is running Tiki Wiki CMS Groupware, a content management system written\n in PHP.\n\n The remote version of this software is vulnerable to multiple vulnerabilities\n which have been identified in various modules of the application.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"1.8.2\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"1.8.2\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:08:03", "bulletinFamily": "scanner", "description": "The remote host is running TikiWiki, a content management system written in PHP. \n\nThe remote version of this software has multiple vulnerabilities that have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.", "modified": "2018-11-15T00:00:00", "id": "TIKIWIKI_MULTIPLE_INPUT_FLAWS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14364", "published": "2004-08-24T00:00:00", "title": "TikiWiki < 1.8.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14364);\n script_version(\"1.25\");\n\n script_cve_id(\n \"CVE-2004-1923\", \n \"CVE-2004-1924\", \n \"CVE-2004-1925\", \n \"CVE-2004-1926\", \n \"CVE-2004-1927\", \n \"CVE-2004-1928\"\n );\n script_bugtraq_id(10100);\n \n script_name(english:\"TikiWiki < 1.8.2 Multiple Input Validation Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running TikiWiki, a content management system\nwritten in PHP. \n\nThe remote version of this software has multiple vulnerabilities that\nhave been identified in various modules of the application. These\nvulnerabilities may allow a remote attacker to carry out various\nattacks such as path disclosure, cross-site scripting, HTML injection,\nSQL injection, directory traversal, and arbitrary file upload.\" );\n # http://web.archive.org/web/20080101124751/http://www.gulftech.org/?node=research&article_id=00037-04112004\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9f6bfebe\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Apr/147\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://tiki.org/tiki-read_article.php?articleId=66\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to TikiWiki 1.8.2 or newer.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/08/24\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/04/11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:tikiwiki:tikiwiki\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks the version of TikiWiki\");\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port))exit(0);\nif(!can_host_php(port:port))exit(0);\nfunction check(loc)\n{\n local_var r, req;\n req = http_get(item: loc + \"/tiki-index.php\", port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);\n if( r == NULL )exit(0);\n if( egrep(pattern:\"This is Tiki v(0\\.|1\\.[0-7]\\.|1\\.8\\.[0-1][^0-9])\", string:r) )\n {\n \tsecurity_hole(port);\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\tset_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n\texit(0);\n }\n}\n\nforeach dir (cgi_dirs())\n{\n check(loc:dir);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
