Info

Disclosure

Jul 12, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Hiki contains a flaw that may allow a malicious user to gain access to unauthorized privileges. In versions 0.6.3 and 0.7-devel-20040407, an attacker, who has first bypassed the application's authentication by issuing artibrary queries as though following the "OK" link, may embed arbitrary code into the configuration file, which runs with the privileges of the CGI program. In versions 0.6.4 and 0.7-devel-20040618, the attacker must be an authenticated user before being allowed to embed arbitrary code in the configuration file. This flaw may lead to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored / Private
Disclosure: OSVDB Verified

Solution

Upgrade to version 0.6.5, 0.7.0-devel-20040626 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Hiki Development Team	Hiki	0.6.4
		0.7-devel-20040618

References

Related OSVDB ID: 19332 19340
Vendor URL: http://hikiwiki.org/
Vendor Specific Advisory URL: http://hikiwiki.org/en/advisory20040712.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Hiki Development Team

Hiki

References

Credit