The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://tikiwiki.org/> Tikiwiki Community Portal is a full featured,
freely available, Wiki/CMS/Groupware system written in PHP.
Two security vulnerabilities have been recently discovered in Tikiwiki,
one allows injection of arbitrary command, while the other allows exposure
of sensitive system files.
DETAILS
Vulnerable Systems:
* Tikiwiki versions 1.8.4 and 1.8.5
Immune Systems:
* Tikiwiki version 1.9.1
Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki
allows attackers to gain access to arbitrary files on the vulnerable
system under the privileges of the underlying web-server.
The problem specifically exists in the following snippet of code from
tiki-editpage.php:
$sdta = @file_get_contents($suck_url);
...
$htmlparser = new HtmlParser($sdta, $grammar, '', 0);
$htmlparser->Parse();
No sanity checking is done on the 'suck_url' parameter prior to utilizing
it as the path to a file to read and parse. By specifying a path with
directory traversal modifiers an attacker can request an arbitrary file to
load and render on the screen.
Successful exploitation allows unauthenticated remote attackers to access
arbitrary files on the vulnerable system with the privileges of the
underlying web-server. If external database access is allowed, then
exploitation can result in a full database compromise as the database
credentials are easily exposed through this vulnerability.
Workaround:
Restrict unnecessary access to Tikiwiki with firewall filters or HTTP
based authentication. If remote database connectivity is not required,
configure the underlying database server to bind to localhost only or
firewall the listening port to accept trusted hosts only.
Tikiwiki tiki-user_preferences Command Injection Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki could
allow attackers to gain access to arbitrary files on the
vulnerable system and execute arbitrary code under the privileges of the
underlying web-server.
The problem specifically exists in the following snippet of code from
tiki-user_preferences.php:
if (isset($_REQUEST["prefs"])) {
...
if ($change_language == 'y') {
if (isset($_REQUEST["language"])) {
$tikilib->set_user_preference($userwatch, 'language', \
$_REQUEST["language"]);
$smarty->assign('language', $_REQUEST["language"]);
include ('lang/' . $_REQUEST["language"] . \
'/language.php');
}
}
No sanity checking is done on the 'language' parameter prior to utilizing
it in a call to the PHP function include(). By specifying a
path with directory traversal modifiers, an attacker can request an
arbitrary file to load and render on the screen.
Exploitation could allow authenticated remote attackers to access
arbitrary files on the vulnerable system with the privileges of the
underlying web-server. If external database access is allowed,
exploitation can result in a full database compromise since database
credentials are easily exposed through this vulnerability.
Exploitation can result in arbitrary command execution with the privileges
of the underlying targeted web server. This is possible because attackers
can generate request URLs with arbitrary script directives that are
recorded in the web server log files. Attackers can then utilize the path
to the poisoned log file in the file inclusion, resulting in the
directives being parsed and executed.
Workaround:
Restrict anonymous access to Tikiwiki. If remote database connectivity is
not required, configure the underlying database server to bind to
localhost only or firewall the listening port to accept trusted hosts
only. Restrict read access of log files from the web server user.
Vendor response:
This vulnerability has been addressed in Tikiwiki 1.9.1 which is available
for download at:
<http://tikiwiki.org/tiki-index.php?page=Download>
http://tikiwiki.org/tiki-index.php?page=Download
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1925>
CAN-2005-1925
Disclosure Timeline:
07.06.05 - Initial vendor notification
21.08.05 - Initial vendor response
10.11.05 - Public disclosure
ADDITIONAL INFORMATION
The original articles can be found at:
<http://www.idefense.com/application/poi/display?id=335>
http://www.idefense.com/application/poi/display?id=335
<http://www.idefense.com/application/poi/display?id=337>
http://www.idefense.com/application/poi/display?id=337
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
