TikiWiki file upload vulnerability (jhot.php)

2006-09-08T00:00:00
ID SAINT:2FDD755A35D757D79ACDBAFDB4DA8349
Type saint
Reporter SAINT Corporation
Modified 2006-09-08T00:00:00

Description

Added: 09/08/2006
CVE: CVE-2006-4602
BID: 19819
OSVDB: 28456

Background

TikiWiki is a multi-purpose web content management system written in PHP.

Problem

The **jhot.php** script allows remote attackers to upload arbitrary PHP commands into the **img/wiki** directory. The commands can then be executed by requesting the uploaded PHP file from a web browser.

Resolution

Upgrade to TikiWiki 1.9.5 or higher.

References

<http://secunia.com/advisories/21733>