ID CVE-2006-4602
Summary Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
References
Vulnerable Configurations
  • Tiki Tikiwiki CMS/Groupware 1.9.4
    cpe:2.3:a:tiki:tikiwiki_cms%2fgroupware:1.9.4
CVSS
Base: 7.5 (as of 07-09-2006 - 13:22)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description TikiWiki <= 1.9 Sirius (jhot.php) Remote Command Execution Exploit. CVE-2006-4602. Webapps exploit for php platform
    file exploits/php/webapps/2288.php
    id EDB-ID:2288
    last seen 2016-01-31
    modified 2006-09-02
    platform php
    port
    published 2006-09-02
    reporter rgod
    source https://www.exploit-db.com/download/2288/
    title TikiWiki <= 1.9 Sirius jhot.php Remote Command Execution Exploit
    type webapps
  • description TikiWiki jhot Remote Command Execution. CVE-2006-4602. Webapps exploit for php platform
    id EDB-ID:16885
    last seen 2016-02-02
    modified 2010-07-25
    published 2010-07-25
    reporter metasploit
    source https://www.exploit-db.com/download/16885/
    title TikiWiki jhot Remote Command Execution
metasploit via4
description TikiWiki contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered due to the jhot.php script not correctly verifying uploaded files. It is possible that the flaw may allow arbitrary PHP code execution by uploading a malicious PHP script resulting in a loss of integrity. The vulnerability was reported in Tikiwiki version 1.9.4.
id MSF:EXPLOIT/UNIX/WEBAPP/TIKIWIKI_JHOT_EXEC
last seen 2019-01-28
modified 2017-07-24
published 2009-03-28
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
title TikiWiki jhot Remote Command Execution
nessus via4
  • NASL family CGI abuses
    NASL id TIKIWIKI_JHOT_ARBITRARY_UPLOADS.NASL
    description The 'jhot.php' script included with the version of TikiWiki installed on the remote host allows an unauthenticated attacker to upload arbitrary files to a known directory within the web server's document root. Provided PHP's 'file_uploads' setting is enabled, which is true by default, this flaw can be exploited to execute arbitrary code on the affected host, subject to the privileges of the web server user id.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 22303
    published 2006-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22303
    title TikiWiki jhot.php Arbitrary File Upload
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200609-16.NASL
    description The remote host is affected by the vulnerability described in GLSA-200609-16 (Tikiwiki: Arbitrary command execution) A vulnerability in jhot.php allows for an unrestricted file upload to the img/wiki/ directory. Additionally, an XSS exists in the highlight parameter of tiki-searchindex.php. Impact : An attacker could execute arbitrary code with the rights of the user running the web server by uploading a file and executing it via a filepath parameter. The XSS could be exploited to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22460
    published 2006-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22460
    title GLSA-200609-16 : Tikiwiki: Arbitrary command execution
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E4C62ABD506511DBA5AE00508D6A62DF.NASL
    description Secunia reports : Thomas Pollet has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the 'highlight' parameter in tiki-searchindex.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. rgod has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the 'jhot.php' script not correctly verifying uploaded files. This can e.g. be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the 'img/wiki' directory.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22490
    published 2006-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22490
    title FreeBSD : tikiwiki -- multiple vulnerabilities (e4c62abd-5065-11db-a5ae-00508d6a62df)
packetstorm via4
data source https://packetstormsecurity.com/files/download/82371/tikiwiki_jhot_exec.rb.txt
id PACKETSTORM:82371
last seen 2016-12-05
published 2009-10-30
reporter Matteo Cantoni
source https://packetstormsecurity.com/files/82371/TikiWiki-jhot-Remote-Command-Execution.html
title TikiWiki jhot Remote Command Execution
refmap via4
bid 19819
confirm http://tikiwiki.org/tiki-read_article.php?articleId=136
gentoo GLSA-200609-16
misc http://isc.sans.org/diary.php?storyid=1672
osvdb 28456
secunia
  • 21733
  • 22100
vupen ADV-2006-3450
saint via4
bid 19819
description TikiWiki file upload vulnerability (jhot.php)
id web_prog_php_tikiwikiupload
osvdb 28456
title tikiwiki_jhot_upload
type remote
Last major update 24-10-2012 - 00:00
Published 06-09-2006 - 20:04
Last modified 18-10-2017 - 21:29
Back to Top