-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0003 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Multiple security issues in TikiWiki 1.9.x +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON Nov 09, 2005 PUBLISHED AT http://moritz-naumann.com/adv/0003/tikiw/0003.txt http://moritz-naumann.com/adv/0003/tikiw/0003.txt.sig PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ info AT moritz HYPHON naumann D0T com GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE TikiWiki http://tikiwiki.org/ AFFECTED VERSION 1.9.x up to and including 1.9.2 Possibly versions < 1.9 (untested) BACKGROUND "Tikiwiki is a full featured Free Software (GNU/LGPL) Wiki/CMS/Groupware written in PHP and maintained by an active and international community of benevolent contributors." ISSUE 1 (XSS) A XSS vulnerability has been detected in the fora code of TikiWiki. The problem is caused by insufficient input sanitation. The following partial URL demonstrates the issue: [baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic s_offset=10%22%20onmouseover='javascript:alert(document.title)%3B'%3E[PL EASE%20MOVE%20YOUR%20MOUSE%20POINTER%20HERE!]%20%3Cx%20y=%22 Please move your mouse pointer over the input field which says so. ISSUE 2 (Information Disclosure, possible SQL injection) The application discloses the installation path. This *may* also be useable to craft an SQL injection. The following partial URL demonstrates the issue: [baseURL]/tiki-view_forum_thread.php?forumId=1&comments_parentId=0&topic s_sort_mode=FOOBAH WORKAROUND Issue 1: Disable Javascript (client) or deny access to TikiWiki (server). Issue 2: Set PHP to log errors to file only (issue 2). SOLUTIONS We are not aware of a maintainer provided fix. TIMELINE Oct 6, 2005: Maintainer informed Oct 6, 2005: First maintainer reply Oct 14, 2005: Request for additional information sent to maintainer [in between]: issues fixed on maintainer website Nov 09, 2005: Public disclosure REFERENCES Issue 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3528 Issue 2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3529 ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDcieHn6GkvSd/BgwRAvmjAJ0bAOZ/wvtJ6cxo0I6qbq09kMl8MgCZAYwp g/uC6sZOj1V9DCXo8XdOv3U= =IJXk -----END PGP SIGNATURE-----
Oh no, not again. To be confirmed...
I've had no success in reproducing either of these problems locally. Any further information on these? Best regards, Stu
Here's what I got in #tikiwiki: 15:01 < mose> this is fixed in 1.9.2 15:01 < mose> that advisory is not correct 15:01 < mose> topics_offset is now sanatized in tiki-setup_base.php 15:02 < mose> to match to an int
Thx Renat. Is the advisory completely wrong or is is just fixed in the latest version (closing either as FIXED or INVALID)?
I believe this means it was fixed in 1.9.2
Then it's fixed.
