=============================================
INTERNET SECURITY AUDITORS ALERT 2007-006
Tikiwiki CMS is vulnerable to path traversal attack
Tikiwiki (Tiki) is a Free Software (LGPL) Content Management System
solution that unifies many features like wikis, forums, blogs,
articles, galleries, mapserver, link directory.
This software is massively used in the World Wide Web, and has been
audited by the security community for years.
It is possible to get the first 1000 bytes from an arbitrary file
trough the tiki-listmovies.php script.
This script sets the movie parameter value into $movie. The last 4
bytes are erased and an .xml extension is appended. Then, the file is
opened for reading with the call fopen($confFile,'r') and the first
1000 bytes are read from the file. Then the 1000 bytes are parsed and
used as the values for MovieWidth and MovieHeight HTML tags. Finally
the resulting HTML file is returned to the user by the webserver.
The vulnerable snippet of code is:
if(isset($_GET["movie"])) {
$movie = $_GET["movie"];
…
if ($movie) {
// Initialize movie size
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";
//trc('confFile', $confFile);
$fh = @fopen($confFile,'r');
$config = @fread($fh, 1000);
@fclose($fh);
if (isset($config) && $config <>'') {
$width =
preg_replace("/^.?<MovieWidth>(.?)<\/MovieWidth>.$/ms", "$1", $config);
$height =
preg_replace("/^.?<MovieHeight>(.?)<\/MovieHeight>.$/ms", "$1",
$config);
$smarty->assign('movieWidth',$width);
$smarty->assign('movieHeight',$height);
}
}
The avoidable controls that permit exploiting the flaw are:
The resulting evil string to access the file looks like this:
…/…/…/…/…/…/etc/passwd%001234
http://www.victym.com/tiki-listmovies.php?movie=../../../../../../etc/passwd%001234
The confidentiality is directly broken, and getting config files the
attacker probably access to the system to break integrity.
All versions of tikiwiki are affected up to 1.9.9.
Update to version 1.9.9 or patch.
This vulnerability has been discovered and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
December 18, 2007: Initial release.
December 24, 2007: Published. Happy 2008!
December 18, 2007: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
December 18, 2007: Development team is contacted. Patch coming.
December 22, 2007: New version of Tikiwiki CMS published.
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.