Writeup of CVE-2020-15906. Special Thanks to Frederic Mohr(Lastbreach) for your Backend Support.

I have found a new vulnerability in TikiWiki Cms Groupware 16.x - 21.1. It allows remote unauthenticated attackers to bypass the login page which results in a full compromise of Tiki Wiki CMS. An Attacker is able to bruteforce the Admin account until it is locked. After that an empty Password can be used to authenticate as admin to get access.

Take a look at the database. This is what the admin looks like after Tiki was installed. (Note that provpass is empty)

Admin Login Brute Force results in about 15 "Invalid user or password" errors, then the message should say "The mail cannot be sent" – maybe a verification problem because of to many requests

Keep Brute Forcing, just to be sure. If the Mail cant be send a different error message appears. Just before the 50th request, the messages change again, now the account is locked.

If we now take a look inside the DB, we can see provpass got set.

Now try another login attempt, but remove the password from the request.

A full walkthrough video can be viewed on youtube (Videos are not publicly available.): https://www.youtube.com/watch?v=v2YEpMsxcbA

PoC Exploit video on youtube: https://youtu.be/o3blz2US54Y

https://www.exploit-db.com/exploits/48927

https://portswigger.net/daily-swig/amp/tikiwiki-authentication-bypass-flaw-gives-attackers-full-control-of-websites-intranets

Maximilian Barz (OSCP), Email: [email protected], Twitter: S1lky_1337