Tiki Wiki CMS: Arbitrary Code Execution
Description
Tiki Wiki CMS versions prior to 12.9, 14.4, and 15.2 contain a critical vulnerability in the bundled ELFinder file manager component that allows unauthenticated remote attackers to upload arbitrary files to the web server. Attackers can exploit this flaw to upload malicious PHP scripts without requiring any authentication or user interaction. Once uploaded, these scripts can be directly executed through web requests, running with the privileges of the web server process and providing attackers with complete control over the application.
Remediation
Immediately upgrade Tiki Wiki CMS to a patched version: 12.9 or later for the 12.x branch, 14.4 or later for the 14.x branch, or 15.2 or later for the 15.x branch. If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict access to the ELFinder component by blocking requests to paths containing 'elfinder' at the web server level
2. Review web server logs for suspicious file upload activity or POST requests to ELFinder endpoints
3. Scan the web application directory for recently created PHP files that may indicate compromise
4. After upgrading, conduct a security audit to ensure no malicious files were uploaded during the vulnerable period
For long-term security, implement file upload restrictions, enable web application firewall rules to detect malicious file uploads, and establish a regular patching schedule for all third-party components.