[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4372280C.6000104@moritz-naumann.com>
Date: Wed Nov 9 16:47:17 2005
From: security at moritz-naumann.com (Moritz Naumann)
Subject: Multiple security issues in TikiWiki 1.9.x
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0003
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Multiple security issues in TikiWiki 1.9.x +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Nov 09, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0003/tikiw/0003.txt
http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
TikiWiki
http://tikiwiki.org/
AFFECTED VERSION
1.9.x up to and including 1.9.2
Possibly versions < 1.9 (untested)
BACKGROUND
"Tikiwiki is a full featured Free Software (GNU/LGPL)
Wiki/CMS/Groupware written in PHP and maintained by an
active and international community of benevolent
contributors."
ISSUE 1 (XSS)
A XSS vulnerability has been detected in the fora code
of TikiWiki. The problem is caused by insufficient input
sanitation.
The following partial URL demonstrates the issue:
[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topics_offset=10%22%20onmouseover='javascript:alert(document.title)%3B'%3E[PLEASE%20MOVE%20YOUR%20MOUSE%20POINTER%20HERE!]%20%3Cx%20y=%22
Please move your mouse pointer over the input field
which says so.
ISSUE 2 (Information Disclosure, possible SQL injection)
The application discloses the installation path. This
*may* also be useable to craft an SQL injection.
The following partial URL demonstrates the issue:
[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topics_sort_mode=FOOBAH
WORKAROUND
Issue 1: Disable Javascript (client) or deny access to
TikiWiki (server).
Issue 2: Set PHP to log errors to file only (issue 2).
SOLUTIONS
We are not aware of a maintainer provided fix.
TIMELINE
Oct 6, 2005: Maintainer informed
Oct 6, 2005: First maintainer reply
Oct 14, 2005: Request for additional information sent
to maintainer
[in between]: issues fixed on maintainer website
Nov 09, 2005: Public disclosure
REFERENCES
Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528
Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDcigMn6GkvSd/BgwRAnfxAJ93CwGPU6+bGrYrYSX4AoXcWmOerACfecUN
b/XTfSxhrOl9eRV4GVBBINI=
=DMEp
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists