cbcvebase.
CVE-2006-4602
published 2006-09-07

CVE-2006-4602: Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
42.60%
98.5th percentile
Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
tikitikiwiki_cms_groupware

Detection & IOCsextracted from sources · hover to see the quote

pathjhot.php
pathimg/wiki/
url/tikiwiki/jhot.php
url/tikiwiki/img/wiki/tiki-config.php
commandrm -f tiki-config.php
path/img/wiki/tiki-config.php
pathjhot.php
bytes
-----------------------------7d529a1d23092a
  • Detect POST requests to jhot.php with a multipart/form-data body containing a 'filepath' field with a .php filename — this is the upload vector for CVE-2006-4602.
  • Alert on GET requests to /img/wiki/*.php — the exploit uploads a PHP webshell to this directory and then retrieves it to execute commands.
  • Detect the CLIENT-IP HTTP header being used to pass OS commands to the uploaded PHP webshell; this is the command execution channel used by both public exploits.
  • The exploit uses a fixed multipart boundary '-----------------------------7d529a1d23092a' in the Content-Type header; matching this string in HTTP traffic is a high-fidelity indicator of the known exploit tools.
  • Check HTTP responses from /img/wiki/ PHP files for the string 'my_delim', which is the delimiter used by both exploit scripts to extract command output.
  • Fingerprint vulnerable TikiWiki instances by checking for the string 'TikiWiki 1.9.4' in the body of responses from tiki-index.php.
  • ·The Metasploit module defaults the TikiWiki URI path to '/tikiwiki/'; real deployments may use a different base path, so detection rules should match on the script names (jhot.php, img/wiki/) relative to any base path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.