Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Related Vulnerabilities: CVE-2023-22851  
Publish Date: 10 Jan 2023
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP 
Object Injection Vulnerability

[-] Software Link:


[-] Affected Versions:

Version 24.1 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the 
/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when 
importing data from WordPress sites through the Tiki Importer, user 
input passed through the uploaded XML file is being used in a call to 
the unserialize() PHP function. This can be exploited by malicious users 
to inject arbitrary PHP objects into the application scope, allowing 
them to perform a variety of attacks, such as executing arbitrary PHP 
code. Successful exploitation of this vulnerability requires an admin 
account (specifically, the ‘tiki_p_admin_importer’ permission). However, 
due to the CSRF vulnerability described in KIS-2023-01, this 
vulnerability might also be exploited by tricking a victim user into 
opening a web page like the following:

  <form action="http://localhost/tiki/tiki-importer.php" method="POST" 
   <input type="hidden" name="importerClassName" 
value="TikiImporter_Blog_Wordpress" />
   <input type="hidden" name="importAttachments" value="on" />
   <input type="file" name="importFile" id="fileinput"/>
   const xmlContent = 
   const fileInput = document.getElementById("fileinput");
   const dataTransfer = new DataTransfer();
   const file = new File([xmlContent], "test.xml", {type: "text/xml"});
   fileInput.files = dataTransfer.files;

[-] Solution:

Upgrade to version 24.2 or later.

[-] Disclosure Timeline:

[07/03/2022] - Vendor notified
[23/08/2022] - Version 24.1 released
[09/01/2023] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-22851 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

