[UNIX] Multiple Vulnerabilities in Tiki CMS/Groupware

From: SecuriTeam (support_at_securiteam.com)
Date: 04/15/04

Next message: SecuriTeam: "[NT] WinSCP Denial of Service"

Previous message: SecuriTeam: "[EXPL] Monit Remote Root Proof Of Concept Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Apr 2004 19:35:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Multiple Vulnerabilities in Tiki CMS/Groupware
------------------------------------------------------------------------

SUMMARY

" <http://www.tikiwiki.org> Tiki CMS/Groupware (aka TikiWiki) is a
powerful open-source Content Management System (CMS) and Groupware that
can be used to create all sorts of Web applications, Sites, Portals,
Intranets and Extranets. TikiWiki also works great as a Web-based
collaboration tool."

TikiWiki suffers from multiple types of security vulnerabilities ranging
from path disclosure, cross-site scripting (XSS), SQL injection and script
code injection.

DETAILS

Vulnerable Systems:
* TikiWiki versions 1.8.1 and prior

Immune Systems:
* TikiWiki version 1.8.2

Path Disclosure
There are several ways in which a malicious user can discover the actual
path of the directory containing the TikiWiki system. One way is to call
some of the script files with no arguments at all. Examples:
banner_click.php
categorize.php
tiki-admin_include_directory.php
tiki-directory_search.php

Some of the scripts prevent this method by checking to see if they were
called directly. However, not all files do this and therefore are
vulnerable. In addition, in any place which SQL injection is possible, not
providing arguments will generate a page that discloses the full path of
the directory of the web server. A few examples are provided but the list
is by no means complete:
tiki-searchindex.php?highlight=[JNK]
messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=
messu-read.php?offset=[INT]&flag=&priority=&flagval=
messu-read.php?offset=[INT]&flag=&priority=
messu-read.php?offset=[INT]&flag=
messu-read.php?offset=
tiki-list_file_gallery.php?find=&galleryId=1&offset=[INT]&sort_mode=
tiki-usermenu.php?find=&offset=
tiki-usermenu.php?find=&offset=[INT]&sort_mode=
tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=
tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=
tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_maxComments=
tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=priority_desc&find=[JNK]
tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=
tiki-directory_ranking.php?sort_mode=
tiki-file_galleries.php?find=&search=find&sort_mode=
tiki-list_faqs.php?find=&offset=[INT]&sort_mode=
tiki-list_faqs.php?find=&offset=
tiki-list_trackers.php?find=&offset=[INT]&sort_mode=
tiki-list_trackers.php?find=&offset=

The following legend is used:
[INT] = Pretty much any integer will do
[VID] = Requires some sort of valid ID
[VPG] = The name of a valid page/user page
[JNK] = Just some random garbage
[SQL] = An evil SQL query
[XSS] = Some code to cause XSS to happen

Cross-site Scripting
There are many locations in TikiWiki that are vulnerable to XSS attacks.
Some examples are presented below, others probably exist, as the system is
very large and composed of many files:
tiki-switch_theme.php?theme=[XSS]
messu-mailbox.php?flags=&priority=&find=[XSS]
messu-mailbox.php?flags=&priority=[XSS]
messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=date_desc&find=[XSS]
messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=[XSS]
messu-read.php?offset=[INT]&flag=&priority=&flagval=[XSS]
messu-read.php?offset=[INT]&flag=&priority=[XSS]
messu-read.php?offset=[INT]&flag=[XSS]
messu-read.php?offset=[XSS]
tiki-read_article.php?articleId=[VID][XSS]
tiki-browse_categories.php?find=&deep=off&parentId=[VID][XSS]
tiki-index.php?page=[VPG]&comments_threshold=[INT][XSS]
tiki-print_article.php?articleId=[VID][XSS]
tiki-list_file_gallery.php?galleryId=[VID][XSS]
tiki-upload_file.php?galleryId=[VID][XSS]
tiki-view_faq.php?faqId=[VID][XSS]
tiki-view_chart.php?chartId=[VID][XSS]
tiki-survey_stats_survey.php?surveyId=[VID][XSS]

SQL Injection
Data passed to queries isn't validated or hardly validated anywhere where
the sort_mode or offset variables are encountered. It should be noted
though that the offset variable takes place after the LIMIT statement, so
the risk isn't very high as compared to data being passed earlier in the
query. Below are some examples:
tiki-usermenu.php?find=&offset=[INT]&sort_mode=[SQL]
tiki-list_file_gallery.php?find=&galleryId=[VID]&offset=[INT]&sort_mode=[SQL]
tiki-directory_ranking.php?sort_mode=[SQL]
tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=[SQL]
tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[INT]&comments_sort_mode=[SQL]
tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[INT]&sort_mode=[SQL]
tiki-directory_ranking.php?sort_mode=[SQL]
tiki-directory_search.php?how=or&words=&where=all&sort_mode=[SQL]
tiki-file_galleries.php?find=&search=find&sort_mode=[SQL]
tiki-list_faqs.php?find=&offset=[INT]&sort_mode=[SQL]
tiki-list_trackers.php?find=&offset=[INT]&sort_mode=[SQL]
tiki-list_blogs.php?find=&offset=[INT]&sort_mode=[SQL]
tiki-usermenu.php?find=&offset=[SQL]
tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[SQL]
tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[SQL]
tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[SQL]
tiki-list_faqs.php?find=&offset=[SQL]
tiki-list_trackers.php?find=&offset=[SQL]
tiki-list_blogs.php?find=&offset=[SQL]

Code Injection
It is possible for a malicious user to inject code into several places on
a TikiWiki powered site including, but not limited to the link directory
and the user profile. Some examples of vulnerable sections are:
User Profile > Theme
User Profile > Country Field
User Profile > Real Name
User Profile > Displayed time zone
Directory > Add Site > Name
Directory > Add Site > Description
Directory > Add Site > URL
Directory > Add Site > Country

Remote File/Directory Enumeration Via Traversal
This issue deals with the map feature TikiWiki uses. It only affects
version 1.8 of the system unless the map feature is disabled. The map
feature calls a .map file to display whatever map a user would like to
view, but the problem with this is that it allows traversal out of the web
directory and call files elsewhere on the box. While not allowing an
attacker to view or download those files it will help determine if they
exist. A small example:
/tiki-map.phtml?mapfile=../../../../var/

A small utility that can quickly enumerate files on a system running
TikiWiki 1.8 can be found at <http://www.gulftech.org/vuln/tikitool.txt>
http://www.gulftech.org/vuln/tikitool.txt.

Arbitrary File Upload
It is possible to upload arbitrary files to a TikiWiki installation by
including it in the image upload feature when creating your TikiWiki user
page. The file will then be located here:
<http://host/img/wiki_up/filenamehere>
http://host/img/wiki_up/filenamehere

This would allow an attacker the ability to upload scripts and run
commands as the web server.

Patch Availability:
The vendor has responded quickly and fixed the vulnerabilities. A security
update can be downloaded from <http://www.tikiwiki.org>
http://www.tikiwiki.org. Upgrade to version 1.8.2.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org>
JeiAr.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] WinSCP Denial of Service"

Previous message: SecuriTeam: "[EXPL] Monit Remote Root Proof Of Concept Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-disclosure] [ GLSA 200606-29 ] Tikiwiki: SQL injection and multiple XSS vulnerabilitie
... An SQL injection vulnerability and multiple XSS vulnerabilities have ... Tikiwiki is a web-based groupware and content management system, ... Security is a primary focus of Gentoo Linux and ensuring the ...
(Full-Disclosure)
[ GLSA 200606-29 ] Tikiwiki: SQL injection and multiple XSS vulnerabilities
... An SQL injection vulnerability and multiple XSS vulnerabilities have ... Tikiwiki is a web-based groupware and content management system, ... Security is a primary focus of Gentoo Linux and ensuring the ...
(Bugtraq)
Re: [ GLSA 200510-23 ] TikiWiki: XSS vulnerability
... > Gentoo Linux Security Advisory ... > Bugs: #109858 ... > TikiWiki is vulnerable to cross-site scripting ...
(Bugtraq)
RE: ADMT-User Profile Migration
... >>I am currently migrating from one Windows 2003 forest to another and ... >>computer account and user profile. ... I assume I use the Security ... >>1) During the Security Translation part, it asks if I want to replace, ...
(microsoft.public.windows.server.migration)
[Full-disclosure] [ GLSA 200801-10 ] TikiWiki: Multiple vulnerabilities
... Multiple vulnerabilities have been discovered in TikiWiki, ... or conduct a cross-site scripting attack ... Security is a primary focus of Gentoo Linux and ensuring the ...
(Full-Disclosure)