Tiki Wiki CMS Groupware <= 9.2 Multiple PHP Object Injection Vulnerabilities

Description:

Tiki Wiki CMS Groupware contains a flaw that is triggered when certain scripts fail to properly sanitize user-supplied input before being used in an unserialize() call. With a specially crafted serialized object an attacker might be able to create a file containing arbitrary PHP code abusing the __destruct() method of a Zend Framework class.

References:

• CVE-2012-0911
• BID-54298
• EDB-19573
• http://info.tiki.org/article210-Tiki-10-0-is-here

Disclosure Date:

July 4, 2012