Category: Security

Show subcategories objects

Name Type
Security rules page for Tiki developement
Tiki Security: We need it, we want it, we (will) have it!
Tikiwiki and Sea Surfing
Web applications are more and more popular, more and more used, and, in consequence, more open to abuse than in past years. Tricks like XSS and CSRF are begining to spread rapidly, at least in rumor, in specialized networks. All live web applications need to verify they have basic protections against such abuses if they intend to provide a trustworthy work environment.

Jun0 brought attention to the vulnerability of tikiwiki to the CSRF trick. After some examination and work, a commando patch operation added basic protection in tikiwiki. 1.7.5, under test right now, was created to meet the security needs of the community, and will be released in next hours/days. If security is vital to your activities, upgrade now to cvs version; branches 1.7, 1.8, and HEAD are patched. We need your help to track possible side effect of the patch, then we can release without fear of regression.

Here is the mail I recently sent to a small number of tikiwiki developers explaining the whole story...