cbcvebase.
CVE-2006-5702
published 2006-11-04

CVE-2006-5702: Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1)…

PriorityP342medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
53.07%
98.8th percentile
Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-forums.php, (10) tiki-view_forum.php, (11) tiki-friends.php, (12) tiki-list_blogs.php, (13) tiki-list_faqs.php, (14) tiki-list_trackers.php, (15) tiki-list_users.php, (16) tiki-my_tiki.php, (17) tiki-notepad_list.php, (18) tiki-orphan_pages.php, (19) tiki-shoutbox.php, (20) tiki-usermenu.php, and (21) tiki-webmail_contacts.php, which reveal the information in certain database error messages.

Affected

1 ranges
VendorProductVersion rangeFixed in
tikitikiwiki_cms_groupware

Detection & IOCsextracted from sources · hover to see the quote

path/tiki-listpages.php?offset=0&sort_mode=
path/tiki-lastchanges.php?days=1&offset=0&sort_mode=
path/messu-archive.php?sort_mode=
path/messu-mailbox.php?sort_mode=
path/messu-sent.php?sort_mode=
path/tiki-directory_add_site.php?sort_mode=
path/tiki-directory_ranking.php?sort_mode=
path/tiki-directory_search.php?sort_mode=
path/tiki-forums.php?sort_mode=
path/tiki-view_forum.php?forumId=
path/tiki-friends.php?sort_mode=
path/tiki-list_blogs.php?sort_mode=
path/tiki-list_faqs.php?sort_mode=
path/tiki-list_trackers.php?sort_mode=
path/tiki-list_users.php?sort_mode=
path/tiki-my_tiki.php?sort_mode=
path/tiki-notepad_list.php?sort_mode=
path/tiki-orphan_pages.php?sort_mode=
path/tiki-shoutbox.php?sort_mode=
path/tiki-usermenu.php?sort_mode=
path/tiki-webmail_contacts.php?sort_mode=
  • Trigger condition is an empty (blank) `sort_mode` GET parameter submitted to any of the 21 vulnerable TikiWiki PHP scripts; the resulting MySQL error message leaks the database username and password in the HTTP response body.
  • Detect HTTP requests to TikiWiki paths containing `sort_mode=` with an empty value (i.e., `sort_mode=` at end of query string or followed by `&`) — no authentication required, exploitable by anonymous users.
  • A Metasploit auxiliary module exists for this vulnerability under `auxiliary/admin/tikiwiki/tikidblib`, enabling automated exploitation for credential harvesting.
  • ·Vulnerability is confirmed only in TikiWiki version 1.9.5 (CVS) -Sirius-; other versions are not confirmed affected by the sources.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.