| VID |
210079 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TikiWiki software is vulnerable to a command execution vulnerability via the 'tiki-graph_formula.php' script. Tiki CMS/Groupware (aka TikiWiki) is a freely available Content Management System (CMS) and Groupware written in PHP. TikiWiki versions prior to 1.9.8.1 could allow a remote attacker to execute arbitrary commands, caused by improper validation of user-supplied input passed to the 'f[]' parameter of the 'tiki-graph_formula.php' script. Regardless of PHP's 'register_globals' setting, a remote attacker could exploit this vulnerability to inject and execute arbitrary commands with the privileges of the web server.
* References:
http://info.tikiwiki.org/tiki-read_article.php?articleId=14
http://www.securityfocus.com/archive/1/482006/30/0/threaded
http://www.frsirt.com/english/advisories/2007/3492
http://secunia.com/advisories/27190
* Platforms Affected:
Open Source Technology Group, TikiWiki versions prior to 1.9.8.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of TikiWiki (1.9.8.1 or later), available from the TikiWiki Download Web site at http://tikiwiki.org/Download |
| Related URL |
CVE-2007-5423 (CVE) |
| Related URL |
26006 (SecurityFocus) |
| Related URL |
37076 (ISS) |
|
