Tiki Arbitrary File Download Vulnerability Fixed by 15.1, 12.8 and 14.3


Description   (:An arbitrary file download vulnerability has been identified in Tiki Wiki.:A remote attacker could exploit it via a specially crafted HTTP request in order to download any file on the server.::The vulnerability is located in the "file" GET parameter of the "vendor/player/flv/flv_stream.php" script.::A proof of concept is available.)
     
Vulnerable Products   Vulnerable Software:
TikiWiki (Tiki) - 12.0, 12.1, 12.2, 12.3, 12.4, ..., 12.7, 14, 14.1, 14.2, 15.0
     
Solution   Versions 15.1, 12.8 and 14.3 of Tiki Wiki fix this vulnerability.
     
CVE  
     
References   - Tiki : Tiki 15.1 and multiple version updates released, Tiki 14 reaches End of Life
https://tiki.org/article432-Tiki-15-1-and-multiple-version-updates-released-Tiki-14-reaches-End-of-Life
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-07-11 

 Target Type 
Server 

 Possible exploit 
Remote