This is a copy of the email sent to tiki-users and tiki-devel mailing lists.

---------

Greets, this is a high priority, urgent notice that affects all admins regarding all versions of TikiWiki.

We (security@tw) have been informed of several flaws which allow the execution of .php code from the $tikiroot/temp/ folder. This is being used in conjunction with a php script that basically gives the "attacker" ssh like control of the server and run do anything as the apache user. It is very similar to that describe in tikiwiki.org/art97

We already know that this has killed one server, resulting in it requiring a complete re-format and re-install. Dont let it be yours!

Please check your temp/ folder for any suspicious files and delete them, if you want to send samples, please forward them to security @ tw.o (tw.o is tikiwiki.org ;) ) We know these files have been called lol.php, gif.php, phpshell.php, shell.php

This affects all TikiWiki releases;


And also add a .htaccess or block via Apache Virtual Host the temp/ in the same way as described in tikiwiki.org/art97

Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be released as soon as possible.

As always we are living in IRC at irc.tikiwiki.org / #tikiwiki you can see ConnectingToIRC for connection details everyone is welcome.

Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !!


Expect more updates as the weekend progresses, we are running a full review of the code, when the final releases are made, please again upgrade to those releases or cvs update again.

Damian Parker

---------

So to summarise:

  • Upgrade to the latest tarball or CVS BRANCH-1-8/BRANCH-1-9 straight away without delay
  • In your Apache virtual host entry you will also require in addition to those in art97 :
    <Directory "/path/to/tiki/directory/temp">
      Order Deny,Allow
      Deny From All
    </Directory>
  • or a .htaccess in temp/


Please pass on the word to ANYONE with a TikiWiki, this is very serious issue, and all TikiWikis are open to the flaw.

Damian