Title: WikkiTikkiTavi Remote File Include Vulnerability
Severity: HIGH
Description:
WikkiTikkiTavi is a freely available engine for running a Wiki site. Wiki sites are web communities which are based on the idea that every webpage is editable by users of the website. WikkiTikkiTavi is back-ended by a MySQL database and runs on most Linux and Unix variants, as well as Microsoft Windows NT/2000 operating systems.
A vulnerability has been discovered in WikkiTikkiTavi which may allow a malicious user to execute arbitrary PHP code.
WikkiTikkiTavi permits remote file including. As a result, a remote attacker may include an arbitrary file located on a remote host. For example, the attacker can define their own Template Directory via a web request, and the Template directory may be located on a remote host.
If this file is a PHP script, it will be executed on the host running the vulnerable software with the privileges of the webserver.
The attacker may use this as an opportunity to gain local access on the host running the vulnerable software.
Affected Products:
- WikkiTikkiTavi WikkiTikkiTavi 0.10.0
- WikkiTikkiTavi WikkiTikkiTavi 0.20.0
- WikkiTikkiTavi WikkiTikkiTavi 0.5.0
References:
- WikkiTikkiTavi: WikkiTikkiTavi Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
