#992 Attackers can unlink any file

BRANCH-1-8_(CVS)
closed-fixed
nobody
Security (29)
5
2003-10-31
2003-10-31
Anonymous
No

Dear Sir,
We have found that the following lines of code from Tiki
CMSGroupware are vulnerable to script injection. We
have listed them below. If you'd like more detailed
information, please feel welcome to e-mail me. More
importantly, if you intend to patch this vulnerability in
the future, please also reply and let me know. Thanks a
lot!

Best regards,
Yao-Wen (Wayne) Huang
Research assistant, Institute of Information Science,
Academia Sinica, Taiwan
Ph.D. candidate, Department of Electrical Engineering,
National Taiwan University

File: tikiwiki-1.7.3\tiki-backup.php
Line: 28, variable: $filename

if(isset($_REQUEST["remove"])) {
$filename = "backups/$tikidomain".$_REQUEST
["remove"];
unlink($filename);

Short description:
Since $filename came directly from HTTP requests, it
can not be used directly as parameters to call unlink().
Therefore the code is vulnerable, and allows an attacker
to execute unlink() with arbitrary parameters.

Discussion

  • Nobody/Anonymous

    Logged In: NO

    My e-mail: ywhuang@openwaves.net

     
  • Philippe Cloutier

    • status: open --> closed-fixed
     
  • Philippe Cloutier

    Logged In: YES
    user_id=738765

    Thank you for this report!
    mose said it was fixed ;)

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks