lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201207041326.q64DQKDU021425@sf01web2.securityfocus.com>
Date: Wed, 4 Jul 2012 13:26:20 GMT
From: n0b0d13s@...il.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2012-0911] Tiki Wiki CMS Groupware <= 8.3 "unserialize()"
 PHP Code Execution

 -----------------------------------------------------------------
 Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution
 -----------------------------------------------------------------
  
 author...........: Egidio Romano aka EgiX
 mail.............: n0b0d13s[at]gmail[dot]com
 software link....: http://info.tiki.org/
  
 
 [-] Vulnerable code in different locations:
  
 lib/banners/bannerlib.php:28:                   $views = unserialize($_COOKIE[$cookieName]);
 lib/banners/bannerlib.php:136:                  $views = unserialize($_COOKIE[$cookieName]);
 tiki-print_multi_pages.php:19:          $printpages = unserialize(urldecode($_REQUEST['printpages']));
 tiki-print_multi_pages.php:24:          $printstructures = unserialize(urldecode($_REQUEST['printstructures']));
 tiki-print_pages.php:31:        $printpages = unserialize(urldecode($_REQUEST["printpages"]));
 tiki-print_pages.php:32:        $printstructures = unserialize(urldecode($_REQUEST['printstructures']));
 tiki-send_objects.php:42:       $sendpages = unserialize(urldecode($_REQUEST['sendpages']));
 tiki-send_objects.php:48:       $sendstructures = unserialize(urldecode($_REQUEST['sendstructures']));
 tiki-send_objects.php:54:       $sendarticles = unserialize(urldecode($_REQUEST['sendarticles']));
 
 The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input.
 This can lead to execution of arbitrary PHP code passing an  ad-hoc Zend Framework serialized  object.

 
 [-] Full path disclosure at:
  
 http://[host]/[path]/admin/include_calendar.php
 http://[host]/[path]/tiki-rss_error.php
 http://[host]/[path]/tiki-watershed_service.php
 
 
 [-] Disclosure timeline:
  
 [11/01/2012] - Vulnerability discovered
 [14/01/2012] - Issue reported to security(at)tikiwiki.org
 [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109
 [23/01/2012] - CVE number requested
 [23/01/2012] - Assigned CVE-2012-0911
 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4
 [04/07/2012] - Public disclosure
 
 
 [-] Proof of concept:
 
 http://www.exploit-db.com/exploits/19573/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ