CVE-2012-0911
published 2012-07-12CVE-2012-0911: TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1)…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
62.99%
99.1th percentile
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | < 6.7 | 6.7 |
| tiki | tikiwiki_cms_groupware | < 8.4 | 8.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to tiki-print_multi_pages.php with a 'printpages' parameter containing a URL-encoded serialized PHP object (pattern: O:[0-9]+:"Zend_Pdf_ElementFactory_Proxy"). ↗
- →Look for poison null byte sequences (%2500 or %00) in POST body parameters (printpages, printstructures, sendpages, sendstructures, sendarticles) targeting TikiWiki endpoints, used to bypass filesystem path restrictions. ↗
- →Alert on GET requests to sh.php (or similarly named dropped webshells) in the TikiWiki web directory, especially with a 'Cmd' HTTP header containing base64-encoded data. ↗
- →Detect serialized PHP objects of class Zend_Pdf_ElementFactory_Proxy in any HTTP parameter (GET/POST/Cookie) sent to TikiWiki scripts. ↗
- →Flag unauthenticated POST requests to tiki-send_objects.php with sendpages, sendstructures, or sendarticles parameters containing serialized data. ↗
- ·Exploit requires PHP display_errors=On to disclose the TikiWiki filesystem path; without it, the path disclosure step fails and the exploit cannot proceed. ↗
- ·Exploit requires the TikiWiki Multiprint feature to be enabled; if disabled, the unserialize() in tiki-print_multi_pages.php is not reachable. ↗
- ·The null-byte poison technique used to write the webshell requires PHP older than 5.3.4; on PHP >= 5.3.4 the filesystem null-byte bypass is patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)
exploitdb·2012-07-09
CVE-2012-3996 Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Tiki Wiki %q{
This module exploits a php unserialize() vulnerability in Tiki Wiki
[
'EgiX', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2012-0911' ],
[ 'BID', '54298' ],
[ 'EDB', '19573' ],
[ 'URL', 'http://dev.tiki.org/item4109' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' =
Exploit-DB
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
exploitdb·2012-07-04
CVE-2012-0911 Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
---
(.*)tiki-rss/', http_send($host, $packet), $m)) die("\n[-] Path not found!\n");
return $m[1];
}
print "\n+----------------------------------------------------------------------+";
print "\n| Tiki Wiki CMS Groupware \n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /tiki/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$f_path = get_path();
print "\n[-] Path disclosure: {$f_path}\n";
class Zend_Search_Lucene_Index_FieldInfo
{
public $name = '';
}
class Zend_Search_Lucene_Storage_Directory_Filesystem
{
protected $_dirPath = null;
public function __construct($path)
{
$this->_dirPath = $path;
}
}
interface Zend_Pdf_ElementFactory_Interface {}
class Zend_
Metasploit
Tiki Wiki unserialize() PHP Code Execution
metasploit
Tiki Wiki unserialize() PHP Code Execution
Tiki Wiki unserialize() PHP Code Execution
This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php v
No writeups or analysis indexed.
CWE
Improperly Controlled Modification of Dynamically-Determined Object Attributes
mitre_cwe
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Application Data. An attacker could modify sensitive d
CWE
Deserialization of Untrusted Data
mitre_cwe
CWE-502 Deserialization of Untrusted Data
CWE-502: Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Background: Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Application Data, Unexpected State. Attackers can modify unexpected objects or data that was as
http://archives.neohapsis.com/archives/bugtraq/2012-07/0020.htmlhttp://dev.tiki.org/item4109http://info.tiki.org/article190-Tiki-Wiki-CMS-Groupware-Updates-Tiki-6-7-LTShttp://info.tiki.org/article191-Tiki-Releases-8-4http://osvdb.org/83534http://www.exploit-db.com/exploits/19573http://www.exploit-db.com/exploits/19630http://www.securityfocus.com/bid/54298https://exchange.xforce.ibmcloud.com/vulnerabilities/76758http://archives.neohapsis.com/archives/bugtraq/2012-07/0020.htmlhttp://dev.tiki.org/item4109http://info.tiki.org/article190-Tiki-Wiki-CMS-Groupware-Updates-Tiki-6-7-LTShttp://info.tiki.org/article191-Tiki-Releases-8-4http://osvdb.org/83534http://www.exploit-db.com/exploits/19573http://www.exploit-db.com/exploits/19630http://www.securityfocus.com/bid/54298https://exchange.xforce.ibmcloud.com/vulnerabilities/76758
2012-07-12
Published