mailing list archives
Advisory SE-2007-01: TikiWiki Remote PHP Code Evaluation Vulnerability
From: Stefan Esser <stefan.esser () sektioneins de>
Date: Mon, 29 Oct 2007 11:34:16 +0100
-----BEGIN PGP SIGNED MESSAGE-----
-= Security Advisory =-
Advisory: TikiWiki Remote PHP Code Evaluation Vulnerability
Release Date: 2007/10/29
Last Modified: 2007/10/29
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: TikiWiki <= 18.104.22.168
Severity: Remote PHP code execution when TikiWiki's
sheet feature is activated
Vendor Status: Vendor has released TikiWiki 22.214.171.124 which fixes this issue
Quote from http://www.tikiwiki.org
"TikiWiki (Tiki) is your Groupware/CMS (Content Management System)
solution. Tiki has the features you need:
* Wikis (like Mediawiki)
* Forums (like phpBB)
* Blogs (like WordPress)
* Articles (like Digg)
* Image Gallery (like Flickr)
* Map Server (like Google Maps)
* Link Directory (like DMOZ)
* Translation and i18n (like Babel Fish)"
TikiWiki 126.96.36.199 fixes a broken white-list check (CVE-2007-5423)
that is supposed to protect against arbitrary PHP code injection
in a call to create_function(). When we analysed the bugfix we
discovered that while the reported bug in the white-list check
is now repaired, it is still possible to execute arbitrary PHP
code by only using the strings allowed in the white-list.
However since TikiWiki 188.8.131.52 the vulnerability can only be
triggered if the 'sheet' feature of TikiWiki is activated in the
TikiWiki's tiki-graph_formula.php creates an anonymous function
with PHP's create_function() to dynamically evaluate a mathematical
function supplied by the user through the 'f' URL parameter.
To protect against arbitrary PHP code execution the TikiWiki
developers have combined a blacklist and white-list approach. On
the one hand they have blacklisted three characters and on the
other hand they only allow certain alphanumerical strings in the
The three blacklisted characters are
` - Allows execution of shell commands
' - String delimiter
" - String delimiter
The white-list of allowed alphanumerical string does only contain
mathematical function names like: sin, cos, tan, pow, ...
When TikiWiki was audited by ShAnKaR he discovered that the
white-list check was incorrectly implemented and it was therefore
possible to execute any PHP function. This vulnerability is known
as CVE-2007-5423 and was fixed with the TikiWiki 184.108.40.206 update.
Unfortunately the repaired white-list does not protect against
arbitrary PHP code execution because PHP supports variable
functions and variable variables.
$varname = 'othervar';
$$varname = 4; // set $othervar to 4
$funcname = 'chr';
$funcname(95); // call chr(95)
Because TikiWiki's blacklist does not protect against the '$'
character, the injected PHP formulas can use temporary variables
like $sin, $cos, $tan, ...
It is therefore obvious that the protection can be bypassed by
filling the temporary variables with strings representing names
of other functions. Because of TikiWiki's black- and white-list
this is a little bit tricky but possible.
First of all it seems hard to get any string at all into one
of our temporary variables because all allowed functions only
return numbers. There are however two PHP features that help:
array to string conversion and handling of unknown constants.
$sin=cosh; // cosh is an unknown constant.
// PHP assumes the string 'cosh' as value
$sin=pi(); // Creates an array
$sin=$sin.$sin; // Stringconcats of arrays. Array to string
// conversion. Becomes 'ArrayArray'
Using these tricks in combination with the ++ Operator that
also allows incrementing alphanumerical strings it is possible
to for example call the chr() function like this.
$tan=pi()-pi(); // Get 0 into $tan
$sin=cosh; // Get the string 'cosh' into $sin
$min=$sin[$tan]; // Get 'c' into $min
$tan++; // Get 1 into $tan
$min.=$sin[$tan+$tan+$tan] // Append 'h' to 'c'
$min.=$sin[$tan]; // Append 'o' to 'ch'
$min++; // Increment 'cho' to 'chp'
$min++; // Increment 'chp' to 'chq'
$min++; // Increment 'chq' to 'chr'
$min($tan) // Call chr(1)
With access to the chr() function it is possible to create
all kind of strings and therefore call any other function,
which obviously leads to arbitrary PHP code execution.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
14. October 2007 - Notified security () tikiwiki org, patch in CVS
25. October 2007 - TikiWiki developers released TikiWiki 220.127.116.11
26. October 2007 - TikiWiki developers released TikiWiki 18.104.22.168
29. October 2007 - Public Disclosure
It is strongly recommended to upgrade to the latest version of
TikiWiki which also fixes additional vulnerabilities reported by
Grab your copy at:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-5682 to this vulnerability.
pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key <info () sektioneins de>
Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 DB12
Copyright 2007 SektionEins GmbH. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
- Advisory SE-2007-01: TikiWiki Remote PHP Code Evaluation Vulnerability Stefan Esser (Oct 29)