TikiWiki 18.104.22.168 resolves vulnerability properly
A critical hole in Wiki system TikiWiki was supposed to have been closed by version 22.214.171.124. However, Stefan Esser found more ways of compromising servers by deploying PHP commands in specially crafted URLs via tiki-graph_formula.php. Updated version 126.96.36.199 is now available and should resolve the vulnerability correctly.
For a short while, developers made version 188.8.131.52 available for download which, apart from the tiki-graph_formula.php issue, also resolved further previously unknown, unidentified vulnerabilities. However, after the update had been installed users could no longer display gallery images. This problem has been fixed in version 184.108.40.206.
Since the new TikiWiki version closes critical holes, administrators are advised to upgrade as soon as possible. For older versions, the developers have provided patches resolving the issue on the project's Sourceforge pages.
- TikiWiki Remote PHP Code Evaluation Vulnerability, Stefan Esser's security advisory
- Bugfix release 220.127.116.11, TikiWiki update release notice
- Download the updated version and patches at Sourceforge
- Critical vulnerability in TikiWiki wiki system, heise Security news item of 11. October 2007