CVE-2012-0911

Name of the Vulnerable Software and Affected Versions TikiWiki CMS/Groupware versions prior to 6.7 LTS and prior to 8.4

Description The issue allows remote attackers to execute arbitrary PHP code via a crafted serialized object. This can be achieved through several parameters, including cookieName to lib/banners/bannerlib.php, printpages or printstructures parameter to tiki-print multi pages.php or tiki-print pages.php, or sendpages, sendstructures, or sendarticles parameter to tiki-send objects.php. The vulnerability arises from the improper handling of these parameters when processed by the unserialize function.

Recommendations For versions prior to 6.7 LTS and prior to 8.4, update to a version that includes the necessary security patches to prevent the execution of arbitrary PHP code. As a temporary workaround, consider restricting access to the lib/banners/bannerlib.php, tiki-print multi pages.php, tiki-print pages.php, and tiki-send objects.php files until a patch is available. Avoid using the cookieName, printpages, printstructures, sendpages, sendstructures, and sendarticles parameters in the affected API endpoints until the issue is resolved.