CVE-2024-51509
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Tiki allows authenticated users with specific permissions to inject malicious scripts into the 'Name' field of the Modules administration page. When other users view the affected page, the script executes in their browser context, potentially stealing session cookies or performing unauthorized actions. Only Tiki installations with users having 'Modules' administration permissions are affected.
💻 Affected Systems
- Tiki Wiki CMS Groupware
📦 What is this software?
Tiki by Tiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker with appropriate permissions could steal administrator session cookies, hijack administrative accounts, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers with module administration access inject malicious scripts that steal session cookies from other administrators or users viewing the modules page, leading to account takeover and privilege escalation.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The GitHub reference shows proof-of-concept payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 27.0
Vendor Advisory: https://security.tiki.org/Disclose-a-Vulnerability
Restart Required: No
Instructions:
1. Upgrade Tiki to version 27.1 or later. 2. Apply any security patches released for versions 27.0 and earlier. 3. Verify the fix by checking that user input in the Modules Name field is properly sanitized.
🔧 Temporary Workarounds
Input Validation Workaround
allImplement server-side input validation to sanitize or reject malicious script content in the Modules Name field.
Modify tiki-admin_modules.php to add HTML entity encoding for user input
Implement content security policy headers
Permission Restriction
allTemporarily restrict access to tiki-admin_modules.php to only essential administrators.
Review and modify Tiki permission settings for 'tiki_p_admin_modules'
Remove module administration permissions from non-essential users
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Enable Content Security Policy (CSP) headers to restrict script execution sources and mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject a simple XSS payload like <script>alert('XSS')</script> into the Modules Name field and see if it executes when viewing the page.Check Version:
Check Tiki version in administration panel or via 'grep -r '\$tikiversion' /path/to/tiki/' on Linux systems.Verify Fix Applied:
After patching, attempt the same XSS payload injection and verify it appears as plain text rather than executing as JavaScript.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to tiki-admin_modules.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by module administration access
Network Indicators:
- HTTP requests containing script tags or JavaScript in the 'name' parameter to modules administration endpoints
SIEM Query:
source="web_logs" AND (url="*tiki-admin_modules.php*" AND (param="*<script>*" OR param="*javascript:*"))