Brute-force exploit hands over the keys to CMS admin accounts


UPDATED A vulnerability in the popular Tiki Wiki CMS platform allowed an unauthenticated attacker to bypass the login process to gain remote access to admin accounts.

Tiki Wiki is an open source, wiki-based content management system (CMS) for websites and intranet sites that’s said to have been downloaded more than a million times since its launch 18 years ago.

A security researcher has detailed how an authentication bypass vulnerability in the platform could be leveraged to gain full control of a target account.

Detailing his findings in a GitHub post, Maximilian Barz, aka ‘Silky’, said that, in Tiki Wiki versions prior to 21.2, an attacker is able to brute-force a Tiki Wiki admin account until it is locked after 50 invalid login attempts.


Read more of the latest open source security news


They can then use an empty password to authenticate as the administrator and gain full account access.

“The attacker is able to compromise the administrator account so it’s possible to control the whole CMS,” Barz told The Daily Swig.

“If schedulers are used, it’s even possible to execute code on the system itself.”

Barz said that he discovered the vulnerability during a Capture the Flag (CTF) challenge.

The researcher explained: “I gained access to the admin panel and was stuck because there was nothing. It was unintended so the creator of the CTF wrote [to] me and we tested to recreate the issue.”

He added: “The reporting process was kinda fun, the devs from TikiWiki are very friendly. I just had an issue with the CVE managed by the Mitre team. But I hope that it will solve itself.

Barz also posted a proof-of-concept video:



This vulnerability (CVE-2020-15906) was assigned a CVSS score of 9.3 out of 10.

It has since been patched by Tiki Wiki. Users are advised to upgrade to the latest version (21.2). Security fixes have also been rolled out for other branches.


This article has been updated to include comments from the researcher.


YOU MAY LIKE GitHub Gist: Account takeover vulnerability patched in code-sharing web service