CVE-2006-5702

Tikiwiki 1.9.5 - Exposure of Sensitive Information via Empty sort_mode Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-5702. Includes Metasploit module auxiliary/admin/tikiwiki/tikidblib.

AI-analyzed exploit summary The exploit describes an information leakage vulnerability in Tikiwiki 1.9.5 (CVS) where an anonymous user can dump MySQL credentials by triggering a MySQL error via the 'sort_mode' parameter in multiple scripts. It also mentions an XSS vulnerability in 'tiki-featured_link.php'.

Description

Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-forums.php, (10) tiki-view_forum.php, (11) tiki-friends.php, (12) tiki-list_blogs.php, (13) tiki-list_faqs.php, (14) tiki-list_trackers.php, (15) tiki-list_users.php, (16) tiki-my_tiki.php, (17) tiki-notepad_list.php, (18) tiki-orphan_pages.php, (19) tiki-shoutbox.php, (20) tiki-usermenu.php, and (21) tiki-webmail_contacts.php, which reveal the information in certain database error messages.

Exploits (2)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/2701

The exploit describes an information leakage vulnerability in Tikiwiki 1.9.5 (CVS) where an anonymous user can dump MySQL credentials by triggering a MySQL error via the 'sort_mode' parameter in multiple scripts. It also mentions an XSS vulnerability in 'tiki-featured_link.php'.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Tikiwiki 1.9.5 (CVS)
No auth needed
Prerequisites: Access to the target Tikiwiki instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/tikiwiki/tikidblib.rb

This Metasploit module exploits an information disclosure vulnerability in TikiWiki 1.9.5 by triggering a MySQL error via the 'sort_mode' parameter, which leaks database credentials and configuration details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: TikiWiki 1.9.5
No auth needed
Prerequisites: Network access to the TikiWiki instance · TikiWiki 1.9.5 with exposed 'tiki-lastchanges.php'
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4316
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450268/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29960
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22678
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23039
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200611-11.xml
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1816
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20858

Scores

EPSS 0.5342
EPSS Percentile 98.0%

Details

CWE
CWE-200
Status published
Products (1)
tiki/tikiwiki_cms\/groupware 1.9.5
Published Nov 04, 2006
Tracked Since Feb 18, 2026