cbcvebase.
CVE-2007-5423
published 2007-10-12

CVE-2007-5423: tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.66%
99.5th percentile
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.

Affected

11 ranges
VendorProductVersion rangeFixed in
tikitikiwiki_cms_groupware<= 1.9.8
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware
tikitikiwiki_cms_groupware

Detection & IOCsextracted from sources · hover to see the quote

path/tiki-graph_formula.php
urlhttp:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
path/tikiwiki/tiki-graph_formula.php
commandpassthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89).chr(59).chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89))
  • Monitor HTTP GET requests targeting tiki-graph_formula.php with an 'f[]' array parameter containing PHP function calls or code sequences (e.g., f[]=x.tan.phpinfo()), which are passed unsanitized to create_function().
  • Alert on HTTP requests to tiki-graph_formula.php where the f[] parameter contains dot-concatenated PHP function names (e.g., x.tan.phpinfo()), a pattern characteristic of this exploit's injection syntax.
  • Detect exploitation attempts using the Metasploit module's characteristic User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' combined with requests to tiki-graph_formula.php.
  • Flag requests to tiki-graph_formula.php with query parameters t=pdf or t=png alongside f[] array values, as these are required parameters in the exploit's build_uri() construction.
  • Monitor for post-exploitation file reads of db/local.php via passthru() or similar PHP execution functions, which the Metasploit module uses to harvest TikiWiki database credentials.
  • The vulnerable script does not sanitize user input supplied to create_function(); detect any f[] parameter value containing parentheses, PHP built-in function names, or chr() sequences in requests to tiki-graph_formula.php.
  • ·The Metasploit payload space is constrained to 6144 bytes due to Apache's maximum URI length of 8190 bytes; payloads delivered via GET URI are limited accordingly.
  • ·The character 'x' is a bad character for payloads because the vulnerable code replaces it with '$x'; encoders must avoid 'x' as well as backtick, double-quote, single-quote, space, percent, and ampersand.
  • ·The exploit targets TikiWiki versions 1.9.x up to and including 1.9.8; version checks confirm safety for versions beyond 1.9.8.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.