[UNIX] Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 11/14/05
- Previous message: SecuriTeam: "[NEWS] VERITAS NetBackup Enterprise Server Buffer Overflow (vmd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Nov 2005 16:21:55 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://tikiwiki.org/> Tikiwiki Community Portal is a full featured,
freely available, Wiki/CMS/Groupware system written in PHP.
Two security vulnerabilities have been recently discovered in Tikiwiki,
one allows injection of arbitrary command, while the other allows exposure
of sensitive system files.
DETAILS
Vulnerable Systems:
* Tikiwiki versions 1.8.4 and 1.8.5
Immune Systems:
* Tikiwiki version 1.9.1
Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki
allows attackers to gain access to arbitrary files on the vulnerable
system under the privileges of the underlying web-server.
The problem specifically exists in the following snippet of code from
tiki-editpage.php:
$sdta = @file_get_contents($suck_url);
...
$htmlparser = new HtmlParser($sdta, $grammar, '', 0);
$htmlparser->Parse();
No sanity checking is done on the 'suck_url' parameter prior to utilizing
it as the path to a file to read and parse. By specifying a path with
directory traversal modifiers an attacker can request an arbitrary file to
load and render on the screen.
Successful exploitation allows unauthenticated remote attackers to access
arbitrary files on the vulnerable system with the privileges of the
underlying web-server. If external database access is allowed, then
exploitation can result in a full database compromise as the database
credentials are easily exposed through this vulnerability.
Workaround:
Restrict unnecessary access to Tikiwiki with firewall filters or HTTP
based authentication. If remote database connectivity is not required,
configure the underlying database server to bind to localhost only or
firewall the listening port to accept trusted hosts only.
Tikiwiki tiki-user_preferences Command Injection Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki could
allow attackers to gain access to arbitrary files on the
vulnerable system and execute arbitrary code under the privileges of the
underlying web-server.
The problem specifically exists in the following snippet of code from
tiki-user_preferences.php:
if (isset($_REQUEST["prefs"])) {
...
if ($change_language == 'y') {
if (isset($_REQUEST["language"])) {
$tikilib->set_user_preference($userwatch, 'language', \
$_REQUEST["language"]);
$smarty->assign('language', $_REQUEST["language"]);
include ('lang/' . $_REQUEST["language"] . \
'/language.php');
}
}
No sanity checking is done on the 'language' parameter prior to utilizing
it in a call to the PHP function include(). By specifying a
path with directory traversal modifiers, an attacker can request an
arbitrary file to load and render on the screen.
Exploitation could allow authenticated remote attackers to access
arbitrary files on the vulnerable system with the privileges of the
underlying web-server. If external database access is allowed,
exploitation can result in a full database compromise since database
credentials are easily exposed through this vulnerability.
Exploitation can result in arbitrary command execution with the privileges
of the underlying targeted web server. This is possible because attackers
can generate request URLs with arbitrary script directives that are
recorded in the web server log files. Attackers can then utilize the path
to the poisoned log file in the file inclusion, resulting in the
directives being parsed and executed.
Workaround:
Restrict anonymous access to Tikiwiki. If remote database connectivity is
not required, configure the underlying database server to bind to
localhost only or firewall the listening port to accept trusted hosts
only. Restrict read access of log files from the web server user.
Vendor response:
This vulnerability has been addressed in Tikiwiki 1.9.1 which is available
for download at:
<http://tikiwiki.org/tiki-index.php?page=Download>
http://tikiwiki.org/tiki-index.php?page=Download
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1925>
CAN-2005-1925
Disclosure Timeline:
07.06.05 - Initial vendor notification
21.08.05 - Initial vendor response
10.11.05 - Public disclosure
ADDITIONAL INFORMATION
The original articles can be found at:
<http://www.idefense.com/application/poi/display?id=335>
http://www.idefense.com/application/poi/display?id=335
<http://www.idefense.com/application/poi/display?id=337>
http://www.idefense.com/application/poi/display?id=337
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] VERITAS NetBackup Enterprise Server Buffer Overflow (vmd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Horde Project Cleanup Script Arbitrary File Deletion Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Horde Project Cleanup Script
Arbitrary File Deletion Vulnerability ... Exploitation allows attackers to delete arbitrary
files with the ... (Securiteam) - [Full-disclosure] iDEFENSE Security Advisory 11.10.05: Tikiwiki tiki-user_preferences Command Inject
... Tikiwiki tiki-user_preferences Command Injection Vulnerability ... Remote exploitation
of an input validation vulnerability in Tikiwiki ... arbitrary files on the vulnerable
system with the privileges of the ... iDEFENSE has confirmed the existence of this issue
in Tikiwiki versions ... (Full-Disclosure) - [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability
in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by
default. ... permissions and thus granted all local users the privilege to execute the
... (Securiteam) - [UNIX] SCO Multiple Local Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer
overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges.
... (Securiteam) - [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing
application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability
in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled
by ... (Securiteam)
