Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
13 Nov. 2005
Summary
Tikiwiki Community Portal is a full featured, freely available, Wiki/CMS/Groupware system written in PHP.
Two security vulnerabilities have been recently discovered in Tikiwiki, one allows injection of arbitrary command, while the other allows exposure of sensitive system files.
Vulnerable Systems:
* Tikiwiki versions 1.8.4 and 1.8.5
Immune Systems:
* Tikiwiki version 1.9.1
Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki allows attackers to gain access to arbitrary files on the vulnerable system under the privileges of the underlying web-server.
The problem specifically exists in the following snippet of code from tiki-editpage.php: $sdta = @file_get_contents($suck_url);
...
$htmlparser = new HtmlParser($sdta, $grammar, '', 0);
$htmlparser->Parse();
No sanity checking is done on the 'suck_url' parameter prior to utilizing it as the path to a file to read and parse. By specifying a path with directory traversal modifiers an attacker can request an arbitrary file to load and render on the screen.
Successful exploitation allows unauthenticated remote attackers to access arbitrary files on the vulnerable system with the privileges of the underlying web-server. If external database access is allowed, then exploitation can result in a full database compromise as the database credentials are easily exposed through this vulnerability.
Workaround:
Restrict unnecessary access to Tikiwiki with firewall filters or HTTP based authentication. If remote database connectivity is not required, configure the underlying database server to bind to localhost only or firewall the listening port to accept trusted hosts only.
Tikiwiki tiki-user_preferences Command Injection Vulnerability:
Remote exploitation of an input validation vulnerability in Tikiwiki could allow attackers to gain access to arbitrary files on the
vulnerable system and execute arbitrary code under the privileges of the underlying web-server.
The problem specifically exists in the following snippet of code from tiki-user_preferences.php: if (isset($_REQUEST["prefs"])) {
...
if ($change_language == 'y') {
if (isset($_REQUEST["language"])) {
$tikilib->set_user_preference($userwatch, 'language', \
$_REQUEST["language"]);
No sanity checking is done on the 'language' parameter prior to utilizing it in a call to the PHP function include(). By specifying a
path with directory traversal modifiers, an attacker can request an arbitrary file to load and render on the screen.
Exploitation could allow authenticated remote attackers to access arbitrary files on the vulnerable system with the privileges of the underlying web-server. If external database access is allowed, exploitation can result in a full database compromise since database credentials are easily exposed through this vulnerability.
Exploitation can result in arbitrary command execution with the privileges of the underlying targeted web server. This is possible because attackers can generate request URLs with arbitrary script directives that are recorded in the web server log files. Attackers can then utilize the path to the poisoned log file in the file inclusion, resulting in the directives being parsed and executed.
Workaround:
Restrict anonymous access to Tikiwiki. If remote database connectivity is not required, configure the underlying database server to bind to localhost only or firewall the listening port to accept trusted hosts only. Restrict read access of log files from the web server user.
