Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 153820 - www-apps/tikiwiki: mysql password disclosure & xss
Summary: www-apps/tikiwiki: mysql password disclosure & xss
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3/4 [glsa] vorlon
Depends on:
Reported: 2006-11-02 07:54 UTC by Matthias Geerdsen (RETIRED)
Modified: 2006-11-20 11:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-02 07:54:40 UTC
//tikiwiki version 1.9.5 (CVS) -Sirius-  (PoC)
// Product: Tikiwiki 
// URL:
// RISK: critical

there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :

there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-02 07:57:31 UTC

- fixed for 1.9 CVS
- xss vulnerability fixed

merge into 1.10 on the way
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-11-07 20:08:53 UTC
1.9.6 in CVS, needs ppc lovin'
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 23:40:12 UTC
ppc stable, this one's ready for GLSA decision.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-09 14:51:56 UTC
security please vote
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-11-10 06:11:26 UTC
Hm, I would not want my users know my database credentials. I know some bigger organizations that use Tikiwiki for their Intranets, so I guess I'll say "yes" here.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-10 09:34:36 UTC
Voting YES. Let's have GLSA on this one.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 11:47:47 UTC
GLSA 200611-11