CVE-2006-4602
published 2006-09-07CVE-2006-4602: Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
42.60%
98.5th percentile
Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
-----------------------------7d529a1d23092a
- →Detect POST requests to jhot.php with a multipart/form-data body containing a 'filepath' field with a .php filename — this is the upload vector for CVE-2006-4602. ↗
- →Alert on GET requests to /img/wiki/*.php — the exploit uploads a PHP webshell to this directory and then retrieves it to execute commands. ↗
- →Detect the CLIENT-IP HTTP header being used to pass OS commands to the uploaded PHP webshell; this is the command execution channel used by both public exploits. ↗
- →The exploit uses a fixed multipart boundary '-----------------------------7d529a1d23092a' in the Content-Type header; matching this string in HTTP traffic is a high-fidelity indicator of the known exploit tools. ↗
- →Check HTTP responses from /img/wiki/ PHP files for the string 'my_delim', which is the delimiter used by both exploit scripts to extract command output. ↗
- →Fingerprint vulnerable TikiWiki instances by checking for the string 'TikiWiki 1.9.4' in the body of responses from tiki-index.php. ↗
- ·The Metasploit module defaults the TikiWiki URI path to '/tikiwiki/'; real deployments may use a different base path, so detection rules should match on the script names (jhot.php, img/wiki/) relative to any base path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TikiWiki jhot - Remote Command Execution (Metasploit)
exploitdb·2010-07-25
CVE-2006-4602 TikiWiki jhot - Remote Command Execution (Metasploit)
TikiWiki jhot - Remote Command Execution (Metasploit)
---
##
# $Id: tikiwiki_jhot_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TikiWiki jhot Remote Command Execution',
'Description' => %q{
TikiWiki contains a flaw that may allow a malicious user to execute
arbitrary PHP code. The issue is triggered due to the jhot.php script
not correctly verifying uploaded files. It is possible that the flaw
may allow arbitrary PHP code execution by uploading a malicious PHP
script resulting in a loss of integri
Exploit-DB
TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution
exploitdb·2006-09-02
CVE-2006-4602 TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution
TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$p
Metasploit
TikiWiki jhot Remote Command Execution
metasploit
TikiWiki jhot Remote Command Execution
TikiWiki jhot Remote Command Execution
TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. The vulnerability was reported in Tikiwiki version 1.9.4.
No writeups or analysis indexed.
http://isc.sans.org/diary.php?storyid=1672http://secunia.com/advisories/21733http://secunia.com/advisories/22100http://security.gentoo.org/glsa/glsa-200609-16.xmlhttp://tikiwiki.org/tiki-read_article.php?articleId=136http://www.osvdb.org/28456http://www.securityfocus.com/bid/19819http://www.vupen.com/english/advisories/2006/3450https://www.exploit-db.com/exploits/2288http://isc.sans.org/diary.php?storyid=1672http://secunia.com/advisories/21733http://secunia.com/advisories/22100http://security.gentoo.org/glsa/glsa-200609-16.xmlhttp://tikiwiki.org/tiki-read_article.php?articleId=136http://www.osvdb.org/28456http://www.securityfocus.com/bid/19819http://www.vupen.com/english/advisories/2006/3450https://www.exploit-db.com/exploits/2288
2006-09-07
Published