Official files on SourceForge:
Tiki 184.108.40.206 (a quickfix of never released 1.9.10) was released by Louis-Philippe Huberdeau and Marc Laporte on 2008-02-23.
Compared to 1.9.9, this release contains 78 code commits by franck, lphuberdeau, luciash, marclaporte, mose, nkoth and sylvieg from 2007-12-22 to 2008-02-23.
The main purposes of this release are:
- Fix bugs introduced in 1.9.9
- Deal with a Cross Site Scripting (XSS) vulnerability reported by Fortify Software.
- Make TikiWiki more secure against future potential vulnerabilities (hardened TikiWiki)
Regression bugs introduced in 220.127.116.11 (which were ok in 1.9.9)
(07:01:41) peter__: Hello (07:03:16) peter__: Just installed Tiki and now have the problem that the registration code as image does not show up (tiki-random_number). Any suggestions? (07:04:35) sylvieg: check you have imagick or gd installed (07:05:32) peter__: gd is installed and for example pictures are shown in galleries. (07:17:38) marclaporte: peter__: which version? (07:17:55) marclaporte: I saw a bug fix to that file recently (dunno if related) (07:29:47) lphuberdeau_: problem introduced in 1.9.10 or 18.104.22.168 with the additional checks (07:30:06) lphuberdeau_: fix is in CVS, was waiting for more reports before making an other release (07:32:51) lphuberdeau_: tiki-login_validate.php and tiki-random_num_img.php were modified since the release (07:33:58) marclaporte: you can get them here: http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/?pathrev=BRANCH-1-9 (08:29:06) peter__: lphuberdeau_: Thanks for the hint! (08:39:48) peter__: Report: tiki-login_validate.php and tiki-random_num_img.php from CVS fixed the problem with the registration code image. Thanks.
This was a bug introduced while making Tiki more secure (a little too secure in this case). Below are the tweaks needed to be done to 22.214.171.124:
- Improving input sanitizer. Thank you to Fortify software for reporting a cross-site scripting (XSS) vulnerability in tiki-edit_article.php.
Note: Until you upgrade, workaround is to not permit non-trusted users to add/edit articles, or to deactivate the articles feature altogether.
- New pre-emptive securitycheck.php script. This check, which is now part of the release procedures, checks every single potentially dangerous file (.php, .sh, etc) to make sure it follows some basic checks (such as: a feature check, permission check, verify that it can't be called directly if it shouldn't, etc.). If you are not using feature X you will no longer potentially be affected in a security issue which is discovered in a feature using that file. If you are using that feature, you can turn it off until you upgrade.
- Adding feature and permission checks to all files to comply with the securitycheck.php script described above.
- Developer scripts now have extra protection to make sure they can't be run from the web (on a badly configured server).
- Some useless files were deleted.
- Fix a username/password/registration bug issue which was introduced in 1.9.9.
- Image Gallery: Fixed the next-prev glitch which was introduced recently.
- Various fixes to Live Support feature.
- Various fixes to InterTiki feature
- Forums: Prevent forum pruning from removing comments as well, or from other forums.
- Fixes to "thumbnail" plugin
- Better handling of usernames with special characters
- tiki-contact.php has anti-bot protection
- Some administrative fixes and enhancements to the release, security and developer scripts.
- New "superscript" plugin to make easy superscript in wiki page, without using html, like subscript plugin.
For all changes, see: http://tikiwiki.org/changelog