-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SA0003

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++    Multiple security issues in TikiWiki 1.9.x     +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Nov 09, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0003/tikiw/0003.txt
  http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  info AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED APPLICATION OR SERVICE
  TikiWiki
  http://tikiwiki.org/


AFFECTED VERSION
  1.9.x up to and including 1.9.2
  Possibly versions < 1.9 (untested)


BACKGROUND
  "Tikiwiki is a full featured Free Software (GNU/LGPL)
  Wiki/CMS/Groupware written in PHP and maintained by an
  active and international community of benevolent
  contributors."


ISSUE 1 (XSS)
  A XSS vulnerability has been detected in the fora code
  of TikiWiki. The problem is caused by insufficient input
  sanitation.

  The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topics_offset=10%22%20onmouseover='javascript:alert(document.title)%3B'%3E[PLEASE%20MOVE%20YOUR%20MOUSE%20POINTER%20HERE!]%20%3Cx%20y=%22

  Please move your mouse pointer over the input field
  which says so.


ISSUE 2 (Information Disclosure, possible SQL injection)

  The application discloses the installation path. This
  *may* also be useable to craft an SQL injection.

  The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topics_sort_mode=FOOBAH


WORKAROUND
  Issue 1: Disable Javascript (client) or deny access to
  TikiWiki (server).
  Issue 2: Set PHP to log errors to file only (issue 2).


SOLUTIONS
  We are not aware of a maintainer provided fix.


TIMELINE
  Oct  6, 2005: Maintainer informed
  Oct  6, 2005: First maintainer reply
  Oct 14, 2005: Request for additional information sent
    to maintainer
  [in between]: issues fixed on maintainer website
  Nov 09, 2005: Public disclosure


REFERENCES
  Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528
  Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529


ADDITIONAL CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcigMn6GkvSd/BgwRAnfxAJ93CwGPU6+bGrYrYSX4AoXcWmOerACfecUN
b/XTfSxhrOl9eRV4GVBBINI=
=DMEp
-----END PGP SIGNATURE-----