A new vulnerability has been found in Tikiwiki. Read more about it here.
I’ve created the following ModSecurity rule to block it.
SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:’TIKIWIKI tiki-graph_formula.php link inclusion attempt’,severity:2″
SecRule ARGS:/^s*[a-z]+$/ “^(ht|f)tps?://”
SecRule REQUEST_FILENAME “tiki-graph_formula.php” “chain,msg:’TIKIWIKI tiki-graph_formula.php f parameter Function Injection Vulnerability’,severity:2″
SecRule ARGS_NAMES “^s*f[.*]$”
Ivan, I hope these rules survive your scrutiny ;-)
Updated at 13:50: The first rule only covered the file inclusion in the title parameter which was what I was seeing in my logs. These rules should cover both the inclusion and the injection.