396205 – www-apps/tikiwiki Remote PHP Code Injection

Bug 396205 - www-apps/tikiwiki Remote PHP Code Injection

Summary: www-apps/tikiwiki Remote PHP Code Injection

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	http://securityreason.com/securityale...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-12-27 13:57 UTC by Tomasz Sałaciński
Modified:	2012-02-13 19:32 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomasz Sałaciński 2011-12-27 13:57:14 UTC

The vulnerable code is located into
/lib/wiki-plugins/wikiplugin_snarf.php:

170. // If the user specified a more specialized regex
171. if ( isset($params['regex']) && isset($params['regexres']) &&
preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172. $snarf = preg_replace( $params['regex'], $params['regexres'],
$snarf );
173. }

input passed through $_REQUEST['regex'] is checked by a regular
expression at line 171 to prevent
execution of arbitrary PHP code using the 'e' modifier in a call to
preg_replace() at line 172.
But this check could be bypassed with a null byte injection,
requesting an URL like this:


http://<hostname>/tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//
e%00/

Tiki internal filters remove all null bytes from user input, but for
some strange reason this
doesn't happen within admin sessions. So, successful exploitation of
this vulnerability requires
an user account with administration rights and 'PluginSnarf' to be
enabled (not by default).

Reproducible: Didn't try

Comment 1 Tomasz Sałaciński 2011-12-28 15:59:14 UTC

I made attempts to reproduce exploitation in versions 2.2 and 2.4 (present in tree ATM) and consulted the original alert author (EgiX). Apparently these versions are not affected.

Comment 2 Alex Legler (RETIRED) archtester

2011-12-28 16:38:42 UTC

Whether or not this issue affects us, this is a good time to remove the package that is several versions outdated and little to no use with still several bugs open. Masked for removal in 30 days.

GLSA vote: NO (XSS, SQLi) and users will probably have updated to much more recent version.

Comment 3 Dominique Michel 2012-02-13 16:43:23 UTC

(In reply to comment #2)
> Whether or not this issue affects us, this is a good time to remove the package
> that is several versions outdated and little to no use with still several bugs
> open. Masked for removal in 30 days.
> 
> GLSA vote: NO (XSS, SQLi) and users will probably have updated to much more
> recent version.

8.4 is out and seam to fix all the reported security issues. So, how do I update this package to its last version (8.4), if it is no ebuild in portage?

Comment 4 Alex Legler (RETIRED) archtester

2012-02-13 19:32:54 UTC

(In reply to comment #3)
> 
> 8.4 is out and seam to fix all the reported security issues. So, how do I
> update this package to its last version (8.4), if it is no ebuild in portage?

For support, consult our forums, mailing lists or IRC channel.

Package is gone now. No other votes, closing noglsa.