TikiWiki 188.8.131.52 resolves vulnerability properly
A critical hole in Wiki system TikiWiki was supposed to have been closed by version 184.108.40.206. However, Stefan Esser found more ways of compromising servers by deploying PHP commands in specially crafted URLs via tiki-graph_formula.php. Updated version 220.127.116.11 is now available and should resolve the vulnerability correctly.
For a short while, developers made version 18.104.22.168 available for download which, apart from the tiki-graph_formula.php issue, also resolved further previously unknown, unidentified vulnerabilities. However, after the update had been installed users could no longer display gallery images. This problem has been fixed in version 22.214.171.124.
Since the new TikiWiki version closes critical holes, administrators are advised to upgrade as soon as possible. For older versions, the developers have provided patches resolving the issue on the project's Sourceforge pages.
- TikiWiki Remote PHP Code Evaluation Vulnerability, Stefan Esser's security advisory
- Bugfix release 126.96.36.199, TikiWiki update release notice
- Download the updated version and patches at Sourceforge
- Critical vulnerability in TikiWiki wiki system, heise Security news item of 11. October 2007