This bugfix prevents anyone from logging in as the administrator using the encrypted password itself copied directly from the index.php file. Note that in order to take advantage of this bug in PhpWiki 1.3.4 or later (1.3.5pre at this time), someone would already need to have access to the PhpWiki index.php file via FTP, SSH etc.; nevertheless it is recommended that all PhpWiki sites who are using any version of 1.3.4 upgrade to the latest CVS version of PhpWiki 1.3.5pre, which includes many other small bugfixes and minor updates as well.
Thanks to Julien Charbon for submitting the security patch.
Log in to post a comment.