CVE-2024-51507
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Tiki allows authenticated users with specific permissions to inject malicious scripts into the 'Name' field of the 'Create/Edit External Wiki' feature. When other users view pages containing this malicious content, their browsers execute the injected scripts, potentially compromising their sessions or performing unauthorized actions. This affects all Tiki installations up to version 27.0.
💻 Affected Systems
- Tiki Wiki CMS Groupware
📦 What is this software?
Tiki by Tiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as other users, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise if combined with other vulnerabilities.
Likely Case
Attackers with appropriate permissions could inject malicious scripts that steal user session tokens or perform unauthorized actions when viewed by other users, leading to account compromise and data theft.
If Mitigated
With proper input validation and output encoding, the impact is limited to users viewing malicious content, but session hijacking and unauthorized actions could still occur.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The GitHub reference shows proof-of-concept payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 27.1 or later
Vendor Advisory: https://security.tiki.org/Disclose-a-Vulnerability
Restart Required: No
Instructions:
1. Backup your Tiki installation and database. 2. Download Tiki version 27.1 or later from the official website. 3. Replace all files with the new version, preserving your configuration files. 4. Run the upgrade script if prompted. 5. Verify the fix by checking that XSS payloads are properly sanitized.
🔧 Temporary Workarounds
Input Validation Workaround
allImplement server-side input validation to sanitize the 'Name' field in external wiki creation/editing forms
Modify relevant PHP files to add htmlspecialchars() or similar sanitization functions to the Name field processing
Permission Restriction
allTemporarily restrict 'Create/Edit External Wiki' permissions to trusted administrators only
Navigate to Tiki Admin > Permissions > Manage Groups and remove 'tiki_p_edit_external_wikis' from non-admin users
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in the Name parameter
- Enable Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Log in as a user with external wiki permissions, attempt to create an external wiki with a Name field containing <script>alert('XSS')</script> and check if the script executes when viewing the page.Check Version:
Check Tiki version in Admin > System Information or view the tiki_version.php fileVerify Fix Applied:
After patching, repeat the vulnerable test with the same XSS payload. The script should not execute and the payload should be displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to external wiki creation/editing endpoints with script tags in parameters
- Multiple failed login attempts followed by successful access to external wiki features
Network Indicators:
- HTTP requests containing script tags in the 'name' parameter of external wiki forms
- Outbound connections to suspicious domains following page views
SIEM Query:
source="web_logs" AND (uri_path="/tiki-edit_external_wikis.php" OR uri_path="/tiki-admin_external_wikis.php") AND (param_name="name" AND param_value MATCHES "<script.*>")