It has been brought to the security team’s attention that yet more problems exist in TikiWiki; these are similar to the Christmas Alert, but affect a different directory. Everyone is required to read and take corrective action. If you do not take action you could lose your entire server!
This is a copy of the email sent to tiki-users and tiki-devel mailing lists.
Greets, this is a high priority, urgent notice that affects all admins regarding all versions of TikiWiki.
We (security@tw) have been informed of several flaws which allow the execution of .php code from the $tikiroot/temp/ folder. This is being used in conjunction with a php script that basically gives the “attacker” ssh like control of the server and run do anything as the apache user. It is very similar to that describe in tikiwiki.org/art97
We already know that this has killed one server, resulting in it requiring a complete re-format and re-install. Dont let it be yours!
Please check your temp/ folder for any suspicious files and delete them, if you want to send samples, please forward them to security @ tw.o (tw.o is tikiwiki.org ;) ) We know these files have been called lol.php, gif.php, phpshell.php, shell.php
This affects all TikiWiki releases;
- If your using 1.8.x you can grab the latest tarball from de.tikiwiki.org, or cvs update to BRANCH-1-8
- If your using any version of 1.9, you must upgrade to CVS BRANCH-1-9 or again, download the tarball from de.tikiwiki.org
- If your on 1.7.X upgrade to 1.8
And also add a .htaccess or block via Apache Virtual Host the temp/ in the same way as described in tikiwiki.org/art97
Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be released as soon as possible.
As always we are living in IRC at irc.tikiwiki.org / #tikiwiki you can see ConnectingToIRC for connection details everyone is welcome.
Expect more updates as the weekend progresses, we are running a full review of the code, when the final releases are made, please again upgrade to those releases or cvs update again.
-- -- -- ---
So to summarise:
- Upgrade to the latest tarball or CVS BRANCH-1-8/BRANCH-1-9 straight away without delay
- In your Apache virtual host entry you will also require in addition to those in art97 :
<Directory "/path/to/tiki/directory/temp"> Order Deny,Allow Deny From All </Directory>
- or a .htaccess in temp/
Please pass on the word to ANYONE with a TikiWiki, this is very serious issue, and all TikiWikis are open to the flaw.