January Security Alert

Damian Parker - 16 Jan 2005 08:51 GMT-0000

It has been brought to the security team's attention that yet more problems exist in TikiWiki; these are similar to the Christmas Alert, but affect a different directory. Everyone is required to read and take corrective action. If you do not take action you could lose your entire server!

This is a copy of the email sent to tiki-users and tiki-devel mailing lists.

---------

Greets, this is a high priority, urgent notice that affects all admins regarding all versions of TikiWiki.

We (security@tw) have been informed of several flaws which allow the execution of .php code from the $tikiroot/temp/ folder. This is being used in conjunction with a php script that basically gives the "attacker" ssh like control of the server and run do anything as the apache user. It is very similar to that describe in tikiwiki.org/art97

We already know that this has killed one server, resulting in it requiring a complete re-format and re-install. Dont let it be yours!

Please check your temp/ folder for any suspicious files and delete them, if you want to send samples, please forward them to security @ tw.o (tw.o is tikiwiki.org ;) ) We know these files have been called lol.php, gif.php, phpshell.php, shell.php

This affects all TikiWiki releases;

If your using 1.8.x you can grab the latest tarball from de.tikiwiki.org, or cvs update to BRANCH-1-8
If your using any version of 1.9, you must upgrade to CVS BRANCH-1-9 or again, download the tarball from de.tikiwiki.org
If your on 1.7.X upgrade to 1.8

And also add a .htaccess or block via Apache Virtual Host the temp/ in the same way as described in tikiwiki.org/art97

Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be released as soon as possible.

As always we are living in IRC at irc.tikiwiki.org / #tikiwiki you can see ConnectingToIRC for connection details everyone is welcome.

Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !!

Expect more updates as the weekend progresses, we are running a full review of the code, when the final releases are made, please again upgrade to those releases or cvs update again.

Damian Parker

---------

So to summarise:

Upgrade to the latest tarball or CVS BRANCH-1-8/BRANCH-1-9 straight away without delay

In your Apache virtual host entry you will also require in addition to those in art97 :

Copy to clipboard

&lt;Directory "/path/to/tiki/directory/temp"&gt;
  Order Deny,Allow
  Deny From All
&lt;/Directory&gt;

or a .htaccess in temp/

Please pass on the word to ANYONE with a TikiWiki, this is very serious issue, and all TikiWikis are open to the flaw.

Damian

1)	16 May 2024 14:00 GMT-0000 Tiki Roundtable Meeting
2)	20 Jun 2024 14:00 GMT-0000 Tiki Roundtable Meeting
3)	18 Jul 2024 14:00 GMT-0000 Tiki Roundtable Meeting
4)	15 Aug 2024 14:00 GMT-0000 Tiki Roundtable Meeting
5)	19 Sep 2024 14:00 GMT-0000 Tiki Roundtable Meeting
6)	08 Oct 2024 Tiki birthday
7)	17 Oct 2024 14:00 GMT-0000 Tiki Roundtable Meeting
8)	21 Nov 2024 14:00 GMT-0000 Tiki Roundtable Meeting
9)	19 Dec 2024 14:00 GMT-0000 Tiki Roundtable Meeting

Please wait

January Security Alert

Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !!

Upcoming Events

Latest Page Changes

Menu

Newest Forum Posts

About Tiki

Support

Community

Documentation

Development

Legal

Tiki Project Sites

Networks

Please wait

Translations

Article actions

Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !!

Upcoming Events

Latest Page Changes

Menu

Newest Forum Posts

About Tiki

Support

Community

Documentation

Development

Legal

Tiki Project Sites

Networks