----------------------------------------------------------------- Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution ----------------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://info.tiki.org/ [-] Vulnerable code in different locations: lib/banners/bannerlib.php:28: $views = unserialize($_COOKIE[$cookieName]); lib/banners/bannerlib.php:136: $views = unserialize($_COOKIE[$cookieName]); tiki-print_multi_pages.php:19: $printpages = unserialize(urldecode($_REQUEST['printpages'])); tiki-print_multi_pages.php:24: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-print_pages.php:31: $printpages = unserialize(urldecode($_REQUEST["printpages"])); tiki-print_pages.php:32: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-send_objects.php:42: $sendpages = unserialize(urldecode($_REQUEST['sendpages'])); tiki-send_objects.php:48: $sendstructures = unserialize(urldecode($_REQUEST['sendstructures'])); tiki-send_objects.php:54: $sendarticles = unserialize(urldecode($_REQUEST['sendarticles'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can lead to execution of arbitrary PHP code passing an ad-hoc Zend Framework serialized object. [-] Full path disclosure at: http://[host]/[path]/admin/include_calendar.php http://[host]/[path]/tiki-rss_error.php http://[host]/[path]/tiki-watershed_service.php [-] Disclosure timeline: [11/01/2012] - Vulnerability discovered [14/01/2012] - Issue reported to security(at)tikiwiki.org [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109 [23/01/2012] - CVE number requested [23/01/2012] - Assigned CVE-2012-0911 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4 [04/07/2012] - Public disclosure [-] Proof of concept: http://www.exploit-db.com/exploits/19573/
