TikiWiki file upload vulnerability (jhot.php)

Added: 09/08/2006
CVE: CVE-2006-4602
BID: 19819
OSVDB: 28456

Background

TikiWiki is a multi-purpose web content management system written in PHP.

Problem

The **jhot.php** script allows remote attackers to upload arbitrary PHP commands into the **img/wiki** directory. The commands can then be executed by requesting the uploaded PHP file from a web browser.

Resolution

Upgrade to TikiWiki 1.9.5 or higher.

References

<http://secunia.com/advisories/21733&gt;