CVE-2004-1925

Name of the Vulnerable Software and Affected Versions Tiki CMS/Groupware (TikiWiki) versions 1.8.1 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the sort mode parameter in various PHP files, including "tiki-usermenu.php", "tiki-list file gallery.php", "tiki-directory ranking.php", "tiki-browse categories.php", "tiki-index.php", "tiki-user tasks.php", "tiki-directory search.php", "tiki-file galleries.php", "tiki-list faqs.php", "tiki-list trackers.php", and "tiki-list blogs.php". Additionally, the offset parameter in some of these files is also vulnerable.

Recommendations For Tiki CMS/Groupware (TikiWiki) versions 1.8.1 and earlier, consider disabling the sort mode and offset parameters in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the sort mode and offset parameters in the affected API endpoints until the issue is resolved.