TikiWiki 1.9.8.3 resolves vulnerability properly
A critical hole in Wiki system TikiWiki was supposed to have been closed by version 1.9.8.1. However, Stefan Esser found more ways of compromising servers by deploying PHP commands in specially crafted URLs via tiki-graph_formula.php. Updated version 1.9.8.3 is now available and should resolve the vulnerability correctly.
For a short while, developers made version 1.9.8.2 available for download which, apart from the tiki-graph_formula.php issue, also resolved further previously unknown, unidentified vulnerabilities. However, after the update had been installed users could no longer display gallery images. This problem has been fixed in version 1.9.8.3.
Since the new TikiWiki version closes critical holes, administrators are advised to upgrade as soon as possible. For older versions, the developers have provided patches resolving the issue on the project's Sourceforge pages.
- TikiWiki Remote PHP Code Evaluation Vulnerability, Stefan Esser's security advisory
- Bugfix release 1.9.8.3, TikiWiki update release notice
- Download the updated version and patches at Sourceforge
- Critical vulnerability in TikiWiki wiki system, heise Security news item of 11. October 2007
(mba)