Tiki Wiki CMS 15.2 Arbitrary File Read

2017.03.12

Credit: Zhao Liang

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2016-10143

CWE: CWE-200

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Credits
===============
Zhao Liang, Huawei Weiran Labs


Vendor:
===============
Tiki


Product:
========================
Tiki Wiki CMS

The Tiki Wiki CMS Groupware project (aka TikiWiki or Tiki) is an open source initiative that releases and maintains a powerful OpenSource Content Management System (CMS) and Groupware called Tiki.


Vulnerability Type:
================================
Access Validation Error


CVE Reference:
==============
CVE-2016-10143


Vulnerability Details:
=====================
This vulnerability allows remote users to read arbitrary files on a targeted system via a crafted pathname in the banner URL field of Tiki Wiki.


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Best Regards,
Zhao Liang, Huawei Weiran Labs

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Tiki Wiki CMS 15.2 Arbitrary File Read

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.