CVE-2020-15906
📋 TL;DR
This vulnerability in Tiki Wiki CMS Groupware allows attackers to bypass authentication by resetting the admin password to blank after 50 failed login attempts. It affects all Tiki installations before version 21.2, enabling complete system compromise.
💻 Affected Systems
- Tiki Wiki CMS Groupware
📦 What is this software?
Tiki by Tiki
⚠️ Risk & Real-World Impact
Worst Case
Full administrative control over the Tiki instance, allowing data theft, defacement, malware injection, and lateral movement to connected systems.
Likely Case
Unauthorized administrative access leading to data manipulation, privilege escalation, and potential ransomware deployment.
If Mitigated
Limited impact if strong network segmentation, monitoring, and additional authentication layers are in place.
🎯 Exploit Status
Exploit requires only 50 HTTP POST requests to tiki-login.php with invalid credentials. Easily automated with simple scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.2 or later
Vendor Advisory: https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3
Restart Required: No
Instructions:
1. Backup your Tiki installation and database. 2. Download Tiki 21.2 or later from official sources. 3. Replace all files with the patched version. 4. Run the upgrade script if prompted. 5. Verify admin password is not blank.
🔧 Temporary Workarounds
Rate Limit Login Attempts
linuxImplement web application firewall or server-side rate limiting to block IPs after multiple failed login attempts.
# Example using iptables: iptables -A INPUT -p tcp --dport 80 -m recent --name TIKIATTACK --set
# iptables -A INPUT -p tcp --dport 80 -m recent --name TIKIATTACK --update --seconds 60 --hitcount 50 -j DROP
Disable tiki-login.php
allTemporarily rename or move the vulnerable file while maintaining alternative authentication methods.
mv tiki-login.php tiki-login.php.disabled
🧯 If You Can't Patch
- Implement strict network ACLs to limit access to Tiki administration interface to trusted IPs only.
- Enable detailed logging and monitoring for failed login attempts exceeding 10 attempts from single source.
🔍 How to Verify
Check if Vulnerable:
Check if file tiki-login.php exists and version is below 21.2. Attempt 50 failed logins and test admin login with blank password.Check Version:
grep -r "tiki_version" db/local.php | grep -o "[0-9]\+\.[0-9]\+"Verify Fix Applied:
Confirm version is 21.2 or higher. Attempt 50 failed logins and verify admin password still works (blank password should fail).📡 Detection & Monitoring
Log Indicators:
- 50+ consecutive failed login attempts from single IP within short timeframe
- Successful admin login with blank password
Network Indicators:
- Burst of POST requests to /tiki-login.php
- Unusual admin activity following login attempt patterns
SIEM Query:
source="web.log" (url="/tiki-login.php" AND status=401) | stats count by src_ip | where count >= 50🔗 References
- http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
- https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3
- http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
- https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3
