Tikiwiki on Inliniac

ModSecurity rules for Tikiwiki 1.x tiki-graph_formula.php Function Injection Vulnerability

Thu, 11 Oct 2007 11:13:44 +0000

A new vulnerability has been found in Tikiwiki. Read more about it here.

I’ve created the following ModSecurity rule to block it.

SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”

SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:‘TIKIWIKI tiki-graph_formula.php link inclusion attempt’,severity:2” SecRule ARGS:/^s*[a-z]+$/ “^(ht|f)tps?://”

SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:‘TIKIWIKI tiki-graph_formula.php f parameter Function Injection Vulnerability’,severity:2” SecRule ARGS_NAMES “^s*f[.*]$”

Ivan, I hope these rules survive your scrutiny ;-)

Updated at 13:50: The first rule only covered the file inclusion in the title parameter which was what I was seeing in my logs. These rules should cover both the inclusion and the injection.

ModSecurity rule for Tikiwiki XSS

Mon, 27 Aug 2007 15:06:22 +0000

I just read about a Tikiwiki XSS here. Since the Vuurmuur wiki runs Tikiwiki I created a ModSecurity rule for it:

SecDefaultAction “log,deny,phase:2,status:403,t:urlDecodeUni,t:lowercase”

# XSS in remind password field SecRule REQUEST_METHOD “^post$” “chain,msg:‘TIKIWIKI lost password XSS’” SecRule REQUEST_FILENAME “tiki-remind_password.php” “chain” SecRule ARGS:/s*username/ “!^(:?[a-z0-9-_]{1,37})$”

This allows only valid usernames to be entered.

Update: Ivan Ristic privately pointed me at some possible problems with the rule:

the escaping of the - and _ chars is not needed, although it seems to be harmless.
the $ at the end of the filename is dangerous, because Apache treats tiki-remind_password.php/xxx as tiki-remind_password.php. In this case the rule is evaded.
PHP (which Tikiwiki uses) ignores leading spaces in request arguments. So it treats ’ username’ the same as ‘username’. The rule needs to deal with that.

Thanks for your feedback Ivan!

Rules for reported Tikiwiki vulnerabilities

Thu, 02 Nov 2006 11:02:52 +0000

Yesterday there was a mail to the bugtraq mailinglist about two types of vulnerabilties in Tikiwiki 1.9.5. The most serious is a claimed MySQL password disclosure through a special URI. The second is an XSS, also through an special URI. The message can be found here.

I wrote ‘claimed password disclosure’, because on the Tikiwiki server I run, I could not reproduce it. With that I mean the password disclosure, since I do see that Tikiwiki gives an error that reveals other information, most notably the location of the website on the local filesystem.

ModSecurity: rule for latest Tikiwiki vulnerability

Wed, 06 Sep 2006 13:02:57 +0000

A few days ago a new vulnerability was reported in Tikiwiki 1.9.x, the software I use for the Vuurmuur Wiki. Luckily, the Snort.org Community rules quickly had a rule for detecting the attack. Because I also run ModSecurity on the webserver, i wanted to have protection there as well. This rule should block the attack:

SecFilterSelective POST_PAYLOAD “jhot.php” “log,deny,status:403,msg:‘LOCAL tikiwiki jhot.php attempt’”

Let’s see if I ever get a hit on it. An update for Tikiwiki as been released, so that should fix the issue completely.