Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Reports of Bots exploiting pmwiki and tikiwiki - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of Bots exploiting pmwiki and tikiwiki
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.

The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19.  Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.

The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation.  However, the Tikiwiki exploit can be exploited regardless of this setting.

We have no info on where these bots are attempting to connect to, yet.  However, we are seeing them in the wild. 

Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.

At the time of this posting Pmwiki had no temporary fixes or patches posted to their website.  So ensure that you turn "Register_globals" to off, and restart Apache.

So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!

454 Posts
Sep 5th 2006

Sign Up for Free or Log In to start participating in the conversation!