
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                                    TikiWiki

September 11, 2006 17:00 GMT                                      Number Q-309
______________________________________________________________________________
PROBLEM:       There is a TikiWiki vulnerability that is actively being 
               exploited. The vulnerability is caused due to the "jhot.php" 
               script not correctly verifying uploaded files. 
PLATFORM:      TikiWiki 1.9.4 
DAMAGE:        Allows remote attackers to execute arbitrary PHP code. 
SOLUTION:      Apply current patches. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Remote attackers to execute arbitrary code. 
ASSESSMENT:                                                                   
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q-309.shtml 
 ORIGINAL BULLETIN:  http://tikiwiki.org/tiki-read_article.php?articleId=136
 ADDITIONAL LINKS:   http://secunia.com/advisories/21733/
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4602 
______________________________________________________________________________

[******  Start of TikiWiki Bulletin ******]

Tiki under attack
By: Oliver Hertel on: Sun 03 Sep, 2006 [23:44] (2818 reads)
	
Maybe you already found this domain partially unavailable this weekend. Some russian hackers are attacking tiki installations currently, trying to install spam and/or DoS bots. We are working at it and hope to have solved the problems soon.

Sorry for the inconveniences.

Details and quick fix here!external link
	English 	Print
How you can make your system more secure against those attacks

    * Remove the file jhot.php. JGraphPad will be dysfunctional afterwards until we provide a fixed version. You can grab it from current CVS (BRANCH-1-9 or HEAD) already.
    * Edit file tiki-editpage.php. If the line 

chmod("$wiki_up/$picname", 0755); // seems necessary on some system (see move_uploaded_file doc on php.net


exists, remove it!

    * Enable .htaccess filesexternal link. Tiki comes with them already, you just have to rename themexternal link from _htaccess to .htaccess. Check first, if your webserver is supporting this!
    * Fix permissions of files in the docroot. Run tiki's fixperms.sh. We're working on an improvement of that script.
    * Use tiki-install.php or mysql client to import the script tiki-secdb_1.9_mysql.sql into the tiki database. With Menu / Admin security / Check all files you can run a job that validates all existing php files in tiki dir against checksums. Tiki will complain if there are more or modified files. Check those files.
    * add this line to php.ini and restart apache: 

disable_functions passthru, system, shell_exec, popen, proc_open, exec, eval



That's what can be quickly done. If you want more:

    * chrootexternal link your apache. The attacks use perl, wget, curl... if you chroot your apache into a more or less empty tree of directories, those tries will fail.
    * Maybe use hardened phpexternal link to make your system even more secure. 


We can't guarantee that all this is enough. But it's a start.


How you can detect if your system is corrupted already

    * Another application is running on port 443. If you try to restart apache, it will complain about the port being locked. Check with ps what's running with apache userid, then go kill it.
    * There might be a file img/wiki/tiki-config.php available. Thats no tiki file! If you find tmp.php, tiki-lang.php, mod_wiki.php or lang/lang.php, those are hacks, too, none of them original tiki code. Delete them! 

[******  End of TikiWiki Bulletin ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of TikiWiki for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

Q-300: Security Vulnerability in the Sun Java System Content Delivery Server
Q-301: pkgadd(1M) May Set Incorrect Permissions
Q-302: mysql-dfsg-4.1
CIACTech06-001: Protecting Against SQL Injection Attacks
Q-303: Multiple DoS Vulnerabilities in the BIND 9 Software
Q-304: OpenSSL Security Update
Q-305: Mailman Security Update
Q-306: Ethereal
Q-307: Buffer Overflow Vulnerability in libX11
Q-308: gcc-3.4