To all tikiwiki administrators and developers, here is an important announcement concerning security of existing Tikiwiki websites, in all versions. If you manage a Tikiwiki, you should read this article attentively, it contains all details about how to fix the problem in a one line change in one file.
Download new releases.
Table of contents
Christmas Security Alert : php injection
The security flaw
There was no check on the uploaded images in the wiki edit page. Then a malicious user with permission to upload image could upload any php script and call it directly in the tikiwiki file tree, from img/wiki_up/ directory. Actually the flaw is quite trivial, stupid, and obvious. It's rather amazing that nobody fixed it before.
The security cure
Repair your tiki without delay !
Check your tikiwiki sanity
Search for files with extensions .php, .php3, .php4 or .phtml in your img/wiki_up (or img/wiki_up/$tikidomain/ in case of multitiki). You can use the following onelines to find them out (works with multitikis too)
Check your apache logs
To find out if someone used that flaw to inject unwanted php file, you can grep your logs (if you can use grep).
or if your logs are rotated and if you can use zgrep
Apply a fix
The fastest emergency fix is to disable the "Pictures" feature in the wiki admin panel (/tiki-admin.php?page=wiki).
The alternative inhibition of pictures upload on wiki pages is to limit the feature by setting the tiki_p_upload_picture permission in the groups admin panel.
But for a real fix, and to still be able to include pictures on wiki pages, you need to upgrade or patch the tiki-editpage.php file :
- CVS users :
Just update your version, the fix is in all branches from 1.7 to 1.10
cvs -q update -dP
- Other users :
Add the following line in tiki-editpage.php
just before the line containing
- with version 1.7.x, on line 106
- with version 1.8.x, on line 138
- with version 1.9rcx, on line 173 and 181
- with version 1.10, on line 172
The sysadmin way
Alternatively (or in more) to the file upgrade/patch, you can inhibit the parsing of php files in the img/ dir.
- If you use apache, but don't have access to the configuration file, create a .htaccess in img/wiki_up/ containing
if it doesn't work, ask your admin to activate the .htaccess power with
in the Directory directive of your tikiwiki tree. Note that if you use a multi-tiki setup, you'll need to add that .htaccess in each img/wiki_up/$tikidomain subdirectory.
- If you can change your apache conf because you admin it, add
where you need to adapt the path for the directory to match with where is located your img/ dir.
Both methods above just block the access to php files in img/ directory, but you may also want to inhibit .pl, .vb and other extensions if your global configuration enables those extensions to be parsed by another preprocessor.
- Read more on http://httpd.apache.org/docs-project/
New releases with a fix
In each released branch a new version is available, namely 1.7.9, 220.127.116.11 and 1.9rc3.1. If you didn't apply one of the solutions listed above :
you should upgrade as soon as possible.
Remember that you always can alert the tikiwiki security group by sending a mail to security at tikiwiki.org.
for the Tikiwiki Security Bunch-of-people