cbcvebase.
CVE-2012-0911
published 2012-07-12

CVE-2012-0911: TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1)…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.99%
99.1th percentile
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.

Affected

2 ranges
VendorProductVersion rangeFixed in
tikitikiwiki_cms_groupware< 6.76.7
tikitikiwiki_cms_groupware< 8.48.4

Detection & IOCsextracted from sources · hover to see the quote

pathtiki-print_multi_pages.php
pathtiki-print_pages.php
pathtiki-send_objects.php
pathlib/banners/bannerlib.php
pathsh.php
commandPOST {path}tiki-print_multi_pages.php
otherprintpages=O:29:"Zend_Pdf_ElementFactory_Proxy":1:
cookiecookieName=[serialized object]
  • Detect POST requests to tiki-print_multi_pages.php with a 'printpages' parameter containing a URL-encoded serialized PHP object (pattern: O:[0-9]+:"Zend_Pdf_ElementFactory_Proxy").
  • Look for poison null byte sequences (%2500 or %00) in POST body parameters (printpages, printstructures, sendpages, sendstructures, sendarticles) targeting TikiWiki endpoints, used to bypass filesystem path restrictions.
  • Alert on GET requests to sh.php (or similarly named dropped webshells) in the TikiWiki web directory, especially with a 'Cmd' HTTP header containing base64-encoded data.
  • Detect serialized PHP objects of class Zend_Pdf_ElementFactory_Proxy in any HTTP parameter (GET/POST/Cookie) sent to TikiWiki scripts.
  • Flag unauthenticated POST requests to tiki-send_objects.php with sendpages, sendstructures, or sendarticles parameters containing serialized data.
  • ·Exploit requires PHP display_errors=On to disclose the TikiWiki filesystem path; without it, the path disclosure step fails and the exploit cannot proceed.
  • ·Exploit requires the TikiWiki Multiprint feature to be enabled; if disabled, the unserialize() in tiki-print_multi_pages.php is not reachable.
  • ·The null-byte poison technique used to write the webshell requires PHP older than 5.3.4; on PHP >= 5.3.4 the filesystem null-byte bypass is patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.