Multiple security issues in TikiWiki 1.9.x Nov 09 2005 04:44PM
Moritz Naumann (securityfocus com moritz-naumann com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0003

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Multiple security issues in TikiWiki 1.9.x +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
Nov 09, 2005

PUBLISHED AT
http://moritz-naumann.com/adv/0003/tikiw/0003.txt
http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig

PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/

info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
TikiWiki
http://tikiwiki.org/

AFFECTED VERSION
1.9.x up to and including 1.9.2
Possibly versions < 1.9 (untested)

BACKGROUND
"Tikiwiki is a full featured Free Software (GNU/LGPL)
Wiki/CMS/Groupware written in PHP and maintained by an
active and international community of benevolent
contributors."

ISSUE 1 (XSS)
A XSS vulnerability has been detected in the fora code
of TikiWiki. The problem is caused by insufficient input
sanitation.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic
s_offset=10%22%20onmouseover='javascript:alert(document.title)%3B'%3E[PL
EASE%20MOVE%20YOUR%20MOUSE%20POINTER%20HERE!]%20%3Cx%20y=%22

Please move your mouse pointer over the input field
which says so.

ISSUE 2 (Information Disclosure, possible SQL injection)

The application discloses the installation path. This
*may* also be useable to craft an SQL injection.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic
s_sort_mode=FOOBAH

WORKAROUND
Issue 1: Disable Javascript (client) or deny access to
TikiWiki (server).
Issue 2: Set PHP to log errors to file only (issue 2).

SOLUTIONS
We are not aware of a maintainer provided fix.

TIMELINE
Oct 6, 2005: Maintainer informed
Oct 6, 2005: First maintainer reply
Oct 14, 2005: Request for additional information sent
to maintainer
[in between]: issues fixed on maintainer website
Nov 09, 2005: Public disclosure

REFERENCES
Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528
Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcieHn6GkvSd/BgwRAvmjAJ0bAOZ/wvtJ6cxo0I6qbq09kMl8MgCZAYwp
g/uC6sZOj1V9DCXo8XdOv3U=
=IJXk
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus