TikiWiki tiki-lastchanges.php Empty sort_mode Parameter Information Disclosure
Medium Nessus Plugin ID 46737
SynopsisThe remote web server hosts an application that is affected by an information disclosure vulnerability.
DescriptionThe installed version of TikiWiki reveals database credentials used by the application when an empty 'sort_mode' parameter is passed to the 'tiki-lastchanges.php' script.
An attacker could exploit this issue to extract the username/password for the remote database resulting in disclosure of sensitive information or attacks against the underlying database.
Note that other scripts included with this install are likely affected by the same vulnerability, although Nessus has not checked them.
SolutionUpdate to TikiWiki 1.9.6 or later.