tikiwiki-traverse.txt

2007-12-24T00:00:00
ID PACKETSTORM:62062
Type packetstorm
Reporter Jesus Olmos Gonzalez
Modified 2007-12-24T00:00:00

Description

                                        
                                            `=============================================  
INTERNET SECURITY AUDITORS ALERT 2007-006  
- Original release date: December 18th, 2007  
- Last revised: December 24th, 2007  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Tikiwiki CMS is vulnerable to path traversal attack  
  
II. BACKGROUND  
-------------------------  
Tikiwiki (Tiki) is a Free Software (LGPL) Content Management System  
solution that unifies many features like wikis, forums, blogs,  
articles, galleries, mapserver, link directory.  
  
This software is massively used in the World Wide Web, and has been  
audited by the security community for years.  
  
III. DESCRIPTION  
-------------------------  
It is possible to get the first 1000 bytes from an arbitrary file  
trough the tiki-listmovies.php script.  
  
This script sets the movie parameter value into $movie. The last 4  
bytes are erased and an .xml extension is appended. Then, the file is  
opened for reading with the call fopen($confFile,'r') and the first  
1000 bytes are read from the file. Then the 1000 bytes are parsed and  
used as the values for MovieWidth and MovieHeight HTML tags. Finally  
the resulting HTML file is returned to the user by the webserver.  
  
The vulnerable snippet of code is:  
  
if(isset($_GET["movie"])) {  
$movie = $_GET["movie"];  
...  
  
if ($movie) {  
// Initialize movie size  
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";  
  
//trc('confFile', $confFile);  
$fh = @fopen($confFile,'r');  
$config = @fread($fh, 1000);  
@fclose($fh);  
if (isset($config) && $config <>'') {  
$width =  
preg_replace("/^.*?<MovieWidth>(.*?)<\/MovieWidth>.*$/ms", "$1", $config);  
$height =  
preg_replace("/^.*?<MovieHeight>(.*?)<\/MovieHeight>.*$/ms", "$1",  
$config);  
$smarty->assign('movieWidth',$width);  
$smarty->assign('movieHeight',$height);  
}  
}  
  
The avoidable controls that permit exploiting the flaw are:  
  
* First, 'tikimovies/' is prepended to the filename, so we could  
reference a relative filesystem object like  
'../../../../../../file_name'. This could also allow the attacker to  
get the database password at the config file, or obtain any other  
files outside the web directory, let's say '/etc/passwd'.  
* Second, the four ending 4 bytes are removed from the $movie  
variables. So adding 4 trash ending bytes to our evil string this  
control also can be bypassed  
* At the end, an .xml extension is added at the end of the variable.  
We finally avoid this adding the null byte (%00) in our value.  
  
The resulting evil string to access the file looks like this:  
  
../../../../../../etc/passwd%001234  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
http://www.victym.com/tiki-listmovies.php?movie=../../../../../../etc/passwd%001234  
  
V. BUSINESS IMPACT  
-------------------------  
The confidentiality is directly broken, and getting config files the  
attacker probably access to the system to break integrity.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All versions of tikiwiki are affected up to 1.9.9.  
  
VII. SOLUTION  
-------------------------  
Update to version 1.9.9 or patch.  
  
VIII. REFERENCES  
-------------------------  
http://info.tikiwiki.org  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
December 18, 2007: Initial release.  
December 24, 2007: Published. Happy 2008!  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
December 18, 2007: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
December 18, 2007: Development team is contacted. Patch coming.  
December 22, 2007: New version of Tikiwiki CMS published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`