Subject: TikiWiki Sql injection & XSS Vulnerabilities
From: "[email protected]" <bug@securitynews.ir.>
To: <bugtraq@securityfocus.com.>
Message-ID: <c6c28ef58cd18af74ada05ea6c211a28@securitynews.ir.>
Date: Wed, 14 Jun 2006 00:53:37 +0430
User-Agent: Mailer
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Mailer: Mailer
X-Priority: 3 (Normal)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.persianwebhost.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - securitynews.ir
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: antivirus-gw at tyumen.ru
----------------------------------------------------------------
[#] Security Advisory
[^] http://securitynews.ir/
[>] Advisory Title: TikiWiki Sql injection & XSS Vulnerabilities
[@] Author : bug [@] securitynews.ir
[$] Product Vendor : http://tikiwiki.org/
[.] Affected Versions : 1.9.3.2 (and maybe before)
[/] Release Date : 06/13/2006
----------------------------------------------------------------
[*] Overview :
Tikiwiki is a very powerful multilingual Wiki/CMS/Groupware, but
it has some security bugs too .
One sql injection and several cross-site scripting bugs have
been found in tikiwiki 1.9.3.2 (and tested in 1.9.3.1) .
[*] Details :
No exploitable detail is going to be released .
[*] Solution :
Vendor contacted on 06/09/2006 and they have been released a new
version (tikiwiki 1.9.4) :
http://sourceforge.net/project/showfiles.php?group_id=64258
------------------------------
http://securitynews.ir/
