[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2012-0911] Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [CVE-2012-0911] Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution
From: n0b0d13s@xxxxxxxxx
Date: Wed, 4 Jul 2012 13:26:20 GMT

 -----------------------------------------------------------------
 Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution
 -----------------------------------------------------------------
  
 author...........: Egidio Romano aka EgiX
 mail.............: n0b0d13s[at]gmail[dot]com
 software link....: http://info.tiki.org/
  
 
 [-] Vulnerable code in different locations:
  
 lib/banners/bannerlib.php:28:                   $views = 
unserialize($_COOKIE[$cookieName]);
 lib/banners/bannerlib.php:136:                  $views = 
unserialize($_COOKIE[$cookieName]);
 tiki-print_multi_pages.php:19:          $printpages = 
unserialize(urldecode($_REQUEST['printpages']));
 tiki-print_multi_pages.php:24:          $printstructures = 
unserialize(urldecode($_REQUEST['printstructures']));
 tiki-print_pages.php:31:        $printpages = 
unserialize(urldecode($_REQUEST["printpages"]));
 tiki-print_pages.php:32:        $printstructures = 
unserialize(urldecode($_REQUEST['printstructures']));
 tiki-send_objects.php:42:       $sendpages = 
unserialize(urldecode($_REQUEST['sendpages']));
 tiki-send_objects.php:48:       $sendstructures = 
unserialize(urldecode($_REQUEST['sendstructures']));
 tiki-send_objects.php:54:       $sendarticles = 
unserialize(urldecode($_REQUEST['sendarticles']));
 
 The vulnerability is caused due to all these scripts using "unserialize()" 
with user controlled input.
 This can lead to execution of arbitrary PHP code passing an  ad-hoc Zend 
Framework serialized  object.

 
 [-] Full path disclosure at:
  
 http://[host]/[path]/admin/include_calendar.php
 http://[host]/[path]/tiki-rss_error.php
 http://[host]/[path]/tiki-watershed_service.php
 
 
 [-] Disclosure timeline:
  
 [11/01/2012] - Vulnerability discovered
 [14/01/2012] - Issue reported to security(at)tikiwiki.org
 [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109
 [23/01/2012] - CVE number requested
 [23/01/2012] - Assigned CVE-2012-0911
 [01/05/2012] - Version 8.4 released: 
http://info.tiki.org/article191-Tiki-Releases-8-4
 [04/07/2012] - Public disclosure
 
 
 [-] Proof of concept:
 
 http://www.exploit-db.com/exploits/19573/

Prev by Date: [ MDVSA-2012:101 ] libtiff
Next by Date: Cyberoam advisory
Previous by thread: [ MDVSA-2012:101 ] libtiff
Next by thread: Cyberoam advisory
Index(es):
- Date
- Thread