[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2012-0911] Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution



 -----------------------------------------------------------------
 Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution
 -----------------------------------------------------------------
  
 author...........: Egidio Romano aka EgiX
 mail.............: n0b0d13s[at]gmail[dot]com
 software link....: http://info.tiki.org/
  
 
 [-] Vulnerable code in different locations:
  
 lib/banners/bannerlib.php:28:                   $views = unserialize($_COOKIE[$cookieName]);
 lib/banners/bannerlib.php:136:                  $views = unserialize($_COOKIE[$cookieName]);
 tiki-print_multi_pages.php:19:          $printpages = unserialize(urldecode($_REQUEST['printpages']));
 tiki-print_multi_pages.php:24:          $printstructures = unserialize(urldecode($_REQUEST['printstructures']));
 tiki-print_pages.php:31:        $printpages = unserialize(urldecode($_REQUEST["printpages"]));
 tiki-print_pages.php:32:        $printstructures = unserialize(urldecode($_REQUEST['printstructures']));
 tiki-send_objects.php:42:       $sendpages = unserialize(urldecode($_REQUEST['sendpages']));
 tiki-send_objects.php:48:       $sendstructures = unserialize(urldecode($_REQUEST['sendstructures']));
 tiki-send_objects.php:54:       $sendarticles = unserialize(urldecode($_REQUEST['sendarticles']));
 
 The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input.
 This can lead to execution of arbitrary PHP code passing an  ad-hoc Zend Framework serialized  object.

 
 [-] Full path disclosure at:
  
 http://[host]/[path]/admin/include_calendar.php
 http://[host]/[path]/tiki-rss_error.php
 http://[host]/[path]/tiki-watershed_service.php
 
 
 [-] Disclosure timeline:
  
 [11/01/2012] - Vulnerability discovered
 [14/01/2012] - Issue reported to security(at)tikiwiki.org
 [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109
 [23/01/2012] - CVE number requested
 [23/01/2012] - Assigned CVE-2012-0911
 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4
 [04/07/2012] - Public disclosure
 
 
 [-] Proof of concept:
 
 http://www.exploit-db.com/exploits/19573/