Multiple security issues in TikiWiki 1.9.x

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0003

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Multiple security issues in TikiWiki 1.9.x +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
Nov 09, 2005

PUBLISHED AT
http://moritz-naumann.com/adv/0003/tikiw/0003.txt
http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig

PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/

info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
TikiWiki
http://tikiwiki.org/

AFFECTED VERSION
1.9.x up to and including 1.9.2
Possibly versions < 1.9 (untested)

BACKGROUND
"Tikiwiki is a full featured Free Software (GNU/LGPL)
Wiki/CMS/Groupware written in PHP and maintained by an
active and international community of benevolent
contributors."

ISSUE 1 (XSS)
A XSS vulnerability has been detected in the fora code
of TikiWiki. The problem is caused by insufficient input
sanitation.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic
s_offset=10%22%20onmouseover='javascript:alert(document.title)%3B'%3E[PL
EASE%20MOVE%20YOUR%20MOUSE%20POINTER%20HERE!]%20%3Cx%20y=%22

Please move your mouse pointer over the input field
which says so.

ISSUE 2 (Information Disclosure, possible SQL injection)

The application discloses the installation path. This
*may* also be useable to craft an SQL injection.

The following partial URL demonstrates the issue:

[baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic
s_sort_mode=FOOBAH

WORKAROUND
Issue 1: Disable Javascript (client) or deny access to
TikiWiki (server).
Issue 2: Set PHP to log errors to file only (issue 2).

SOLUTIONS
We are not aware of a maintainer provided fix.

TIMELINE
Oct 6, 2005: Maintainer informed
Oct 6, 2005: First maintainer reply
Oct 14, 2005: Request for additional information sent
to maintainer
[in between]: issues fixed on maintainer website
Nov 09, 2005: Public disclosure

REFERENCES
Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528
Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcieHn6GkvSd/BgwRAvmjAJ0bAOZ/wvtJ6cxo0I6qbq09kMl8MgCZAYwp
g/uC6sZOj1V9DCXo8XdOv3U=
=IJXk
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Multiple security issues in TikiWiki 1.9.x