This is a copy of the email sent to tiki-users and tiki-devel mailing lists.


Greets, this is a high priority, urgent notice that affects all admins regarding all versions of TikiWiki.

We (security@tw) have been informed of several flaws which allow the execution of .php code from the $tikiroot/temp/ folder. This is being used in conjunction with a php script that basically gives the "attacker" ssh like control of the server and run do anything as the apache user. It is very similar to that describe in

We already know that this has killed one server, resulting in it requiring a complete re-format and re-install. Dont let it be yours!

Please check your temp/ folder for any suspicious files and delete them, if you want to send samples, please forward them to security @ tw.o (tw.o is ;) ) We know these files have been called lol.php, gif.php, phpshell.php, shell.php

This affects all TikiWiki releases;

And also add a .htaccess or block via Apache Virtual Host the temp/ in the same way as described in

Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be released as soon as possible.

As always we are living in IRC at / #tikiwiki you can see ConnectingToIRC for connection details everyone is welcome.

Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !!

Expect more updates as the weekend progresses, we are running a full review of the code, when the final releases are made, please again upgrade to those releases or cvs update again.

Damian Parker


So to summarise:

  • Upgrade to the latest tarball or CVS BRANCH-1-8/BRANCH-1-9 straight away without delay
  • In your Apache virtual host entry you will also require in addition to those in art97 :
    <Directory "/path/to/tiki/directory/temp">
      Order Deny,Allow
      Deny From All
  • or a .htaccess in temp/

Please pass on the word to ANYONE with a TikiWiki, this is very serious issue, and all TikiWikis are open to the flaw.