TikiWiki elfinder file upload

Added: 07/14/2016

Background

TikiWiki is a multi-purpose web content management system written in PHP.

Problem

The third-party elfinder component allows unauthenticated users to upload arbitrary files, which can then be executed using a simple HTTP request.

Resolution

Upgrade to TikiWiki 12.9, 14.4, 15.2, or higher.

References

https://www.exploit-db.com/exploits/40091/

Limitations

Exploit works on TikiWiki 15.0 on Linux.
Back to exploit index