| VID |
210081 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TikiWiki software is vulnerable to multiple local file include vulnerabilities via the 'tiki-index.php' script. Tiki CMS/Groupware (aka TikiWiki) is a freely available Content Management System (CMS) and Groupware written in PHP. TikiWiki versions prior to 1.9.8.2 are vulnerable to a local file include vulnerability, caused by improper validation of user-supplied input passed to the 'error_handler_file' and/or 'local_php' parameters to the 'tiki-index.php' script. If the register_globals is enabled, an unauthenticated remote attacker could exploit this vulnerability to view arbitrary files or to execute arbitrary PHP code on the affected system. In addition, the component is also reportedly affected by multiple cross-site scripting vulnerabilities involving other parameters to the same script.
* References:
http://info.tikiwiki.org/tiki-read_article.php?articleId=15
http://www.securityfocus.com/archive/1/482801/30/0/threaded
* Platforms Affected:
Open Source Technology Group, TikiWiki versions prior to 1.9.8.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of TikiWiki (1.9.8.2 or later), available from the TikiWiki Download Web site at http://tikiwiki.org/Download |
| Related URL |
CVE-2007-5683,CVE-2007-5684 (CVE) |
| Related URL |
26211 (SecurityFocus) |
| Related URL |
38110,38112,38116,38117 (ISS) |
|
