Tiki Wiki CMS Groupware ELFinder Component Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in Tiki Wiki CMS Groupware versions through 15.1. This issue arises in the ELFinder component, specifically via the default connector file, 'connector.minimal.php'. The vulnerability allows remote attackers to upload and execute malicious PHP scripts on the web server. The problem stems from the component's lack of file type validation, enabling attackers to craft POST requests that upload executable PHP payloads through the ELFinder interface available at '/vendor_extra/elfinder/'.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which can be used to execute arbitrary code on the server with the same privileges as the web server user.

Reproduction

To reproduce this vulnerability, access the ELFinder interface through the Tiki Wiki installation. Navigate to the 'vendor_extra/elfinder/elfinder.html' page, which should load successfully if the application is vulnerable. Once confirmed, upload a PHP file using the ELFinder file upload feature. The uploaded file will be executed on the server, demonstrating the vulnerability.

Remediation

Users are advised to update to Tiki Wiki versions 15.2, 14.4, or 12.9 LTS, all of which include patches for this vulnerability.