Tiki Wiki CMS Groupware <= 8.2 PHP Code Injection Vulnerability


Tiki Wiki CMS Groupware contains a flaw that allows a remote Cross-Site Request Forgery (CSRF / XSRF) attack which can lead to arbitrary PHP code execution. The flaw exists within the lib/wiki-plugins/wikiplugin_snarf.php script, which not properly sanitize input passed via the ‘regex’ and ‘regexres’ parameters to the snarf_ajax.php script before using it in a preg_replace() call.


Disclosure Date:

December 22, 2011