add tikiwiki CVE-2025-34111 templated plugins

[crackatoa]

Hi,

This PR contains implementation of tikiwiki CVE-2025-34111

Below it is possible to find the necessary information for review:

PR Testbed: google/security-testbeds#161
Issue: #678

Thank you

[crackatoa]

Hi @tooryx,

my detector is running well now, but i have problem with the unit test, is any ways to debut unit test?

always FAILED during test, even i tried as as simple as i can on the mock up response

104.4 TemplatedDetectorDynamicTest > runTest[Tikiwiki_CVE_2025_34111, autogenerated_whenEchoServer_returnsFalse] FAILED
104.4     java.lang.IllegalArgumentException at TemplatedDetectorDynamicTest.java:129

[am0o0]

Hi, I think you can use config: { debug: true } in your template, then you can get verbose logs.

[tooryx]

Hi @crackatoa,

As @am0o0 mentioned, you can enable debug mode.
Additionally (and unfortunately) the tests can sometimes be a bit tricky to read due to the fact that there all under the same unit test. So you might have to search specifically for your test.

I am not often using gradle to run tests, but I think it generates an HTML file in which you can see more details.

~tooryx

[crackatoa]

HI @am0o0 @tooryx,

thanks for the response,

I want to ask about autogenerated_whenEchoServer_returnsFalse which it auto generated by tsunami, can you explain about this test function?

[tooryx]

It tries to verify that a detector is not flaky. But I think there is a bug right now. If it is the only failing test, feel free to ignore it.

~tooryx

[crackatoa]

Hi @tooryx,

I tried to manually debug the unit test, i found that the test failed when i used {{ payload }} on my uri or body_content

  {
    uri: "/vendor_extra/elfinder/files/{{ payload }}.php"
    status: 200
    body_content: "valid_tsunami"
  }

Still can't find the root cause, even when i tried payyload with static value, i will left/ignore the unit test as is for now

[savio-doyensec]

Hi @crackatoa, I left some suggestions to improve the detector.

As you said, the whenVulnerable_returnsTrue does not work because the payload variable is not propagated to the tests. For now, you can specify an hardcoded path for the PHP file, something like tsunami_security_scan.php, and use that instead of {{ payload }} for all the paths. You can keep {{ payload }} in the echo command inside the PHP.

[crackatoa]

Hi @savio-doyensec,

Thanks for corrections, I have change {{ payload }}.php to static url, and it works.
Please review the changes 899b6b7

[tooryx]

Hi @crackatoa,

FYI, the test issue with the echo server should have been fixed with ebbd193
Please let me know if you are still facing issues.

~tooryx

[savio-doyensec]

Hey @crackatoa, I just have one more small change request for tidiness, everything else works fine.

[crackatoa]

Hi @savio-doyensec,

done, please check

[crackatoa]

@tooryx, I didnt found any issue anymorr on my latest template engine

Thank you

[savio-doyensec]

LGTM
@tooryx we can merge this and google/security-testbeds#161

Reviewer: Savio (Doyensec)
Plugin: CVE-2025-34111
Drawbacks: None