TikiWiki 22.214.171.124 resolves vulnerability properly
A critical hole in Wiki system TikiWiki was supposed to have been closed by version 126.96.36.199. However, Stefan Esser found more ways of compromising servers by deploying PHP commands in specially crafted URLs via tiki-graph_formula.php. Updated version 188.8.131.52 is now available and should resolve the vulnerability correctly.
For a short while, developers made version 184.108.40.206 available for download which, apart from the tiki-graph_formula.php issue, also resolved further previously unknown, unidentified vulnerabilities. However, after the update had been installed users could no longer display gallery images. This problem has been fixed in version 220.127.116.11.
Since the new TikiWiki version closes critical holes, administrators are advised to upgrade as soon as possible. For older versions, the developers have provided patches resolving the issue on the project's Sourceforge pages.
- TikiWiki Remote PHP Code Evaluation Vulnerability, Stefan Esser's security advisory
- Bugfix release 18.104.22.168, TikiWiki update release notice
- Download the updated version and patches at Sourceforge
- Critical vulnerability in TikiWiki wiki system, heise Security news item of 11. October 2007