Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195503 - www-apps/tikiwiki < 1.9.8.3 Remote command injection vulnerability (CVE-2007-{5423,5682,5683,5684})
Summary: www-apps/tikiwiki < 1.9.8.3 Remote command injection vulnerability (CVE-2007-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27190/
Whiteboard: B1 [glsa]
Keywords:
: 196329 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-10-11 14:13 UTC by Carsten Lohrke (RETIRED)
Modified: 2007-11-14 22:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2007-10-11 14:13:51 UTC
Insufficient param handling in tiki-graph_formula.php.

Exploit: http://milw0rm.com/exploits/4509
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-12 12:36:33 UTC
1.9.8.1 is in the tree.

target: ppc stable

Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-12 16:04:47 UTC
ppc stable
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-13 08:06:46 UTC
thanks tobias. removed insecure version. webapps is done here.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-13 13:09:39 UTC
glsa request filed.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 22:00:41 UTC
Tobias, seems you forgot to actually add the ppc keywords:

  12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog:
  ppc stable, bug #195503

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-18 16:44:02 UTC
(In reply to comment #5)
> Tobias, seems you forgot to actually add the ppc keywords:
> 
>   12 Oct 2007; Tobias Scherbaum <dertobi123@gentoo.org> ChangeLog:
>   ppc stable, bug #195503
> 

oopsie ;) now for real: ppc stable
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2007-10-18 21:20:16 UTC
*** Bug 196329 has been marked as a duplicate of this bug. ***
Comment 8 Aardpig 2007-10-19 16:06:39 UTC
Perhaps the GLSA request should be filed again. My server was rooted due to this vuln. Not happy.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-20 20:51:18 UTC
GLSA 200710-21 is out.

Hint: never use risky web-apps unless in an isolated environment like chroot or virtual machines.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-26 12:26:25 UTC
Hi,

Stefen Esser warned tikiwiki upstream that they haven't totally fixed CVE-2007-5423 impact.

Patch is here:
http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/tiki-graph_formula.php?r1=1.5&r2=1.6

Announcement is here:
http://info.tikiwiki.org/tiki-read_article.php?articleId=15

web-app could you have a look, please?
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-26 12:31:00 UTC
And it seems that more security issues were fixed in 1.9.8.2, i have no other info.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-26 12:36:35 UTC
+2007-10-23 01:18  mose 
+       * tiki-imexport_languages.php: [FIX] security: added tests to the 
+         language filename var to avoid arbitrary inclusion 
+ 

-> file inclusion

+2007-10-23 01:08  mose 
+       * db/tiki-db.php: [FIX] security: added some checks on local.php 
+         file to avoid arbitrary inclusion 

-> file inclusion

+ 
+2007-10-23 00:58  mose 
+       * lib/tikilib.php: [FIX] wiki images: added a test to avoid js 
+         comes into img src 

-> XSS

+ 

+2007-10-23 00:46  mose 
+       * templates/tiki-remind_password.tpl: [FIX] security: escape error 
+         message in remind_password to avoid possible abuse 
+ 

-> disclosure of information

+ Stefan Esser's fix (code injection), without ChangeLog entry.
Comment 13 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-26 12:55:04 UTC
1.9.8.2 is in the tree.

Targets: ppc
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-27 11:21:19 UTC
one again: ppc stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-10-27 13:39:39 UTC
filed.
Comment 16 Aurélien Requiem 2007-10-27 13:58:09 UTC
The release should be upgraded to 1.9.8.3 as it correct a bug introduced in 1.9.8.2
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-10-27 16:54:06 UTC
(In reply to comment #16)
> The release should be upgraded to 1.9.8.3 as it correct a bug introduced in
> 1.9.8.2

Gunnar, your call.
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-27 17:59:52 UTC
(In reply to comment #17)
> (In reply to comment #16)
> > The release should be upgraded to 1.9.8.3 as it correct a bug introduced in
> > 1.9.8.2
> 
> Gunnar, your call.
> 

*sigh* ... what about just dropping the ppc stable keyword?
Comment 19 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-28 15:50:24 UTC
1.9.8.3 in the tree.

Traget: ppc - you may of course also decide to drop the keyword ;) ... I don't consider tikiwiki a particularly well crafted piece of software
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-30 19:22:37 UTC
whatever, once again: ppc stable - next time i'll drop the stable-keyword.
Comment 21 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-31 04:51:23 UTC
Thanks, removed insecure versions. webapps done
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-14 22:02:01 UTC
GlSA 200711-19