From: Damian P. <da...@da...> - 2005-01-15 20:45:07
|
Greets, this is a high priority, urgent notice that affects all admins regarding all versions of TikiWiki. We (security@tw) have been informed of several flaws which allow the execution of .php code from the $tikiroot/temp/ folder. This is being used in conjunction with a php script that basically gives the "attacker" a ssh like control of the server and run do anything as the apache user. It is very similar to that describe in tikiwiki.org/art97 We already know that this has killed one server, resulting in it requiring a complete re-format and re-install. Dont let it be yours! Please check your temp/ folder for any suspicious files and delete them, if you want to send samples, please forward them to security @ tw.o (tw.o is tikiwiki.org ;) ) We know these files have been called lol.php, gif.php, phpshell.php, shell.php This affects all TikiWiki releases; * If your using 1.8.x you can grab the latest tarball from de.tikiwiki.org, or cvs update to BRANCH-1-8 * If your using any version of 1.9, you must upgrade to CVS BRANCH-1-9 or again, download the tarball from de.tikiwiki.org * If your on 1.7.X upgrade to 1.8 And also add a .htaccess or block via Apache Virtual Host the temp/ in the same way as described in tikiwiki.org/art97 Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be released as soon as possible. As always we are living in IRC at irc.tikiwiki.org / #tikiwiki you can see http://tikiwiki.org/ConnectingToIRC for connection details everyone is welcome. !! Please protect your Tiki, and please pass on the word to anyone you know with a Tiki. !! Expect more updates as the weekend progresses, we are running a full review of the code, when the final releases are made, please again upgrade to those releases or cvs update again. -- Damian Parker http://www.damosoft.co.uk / http://tikihost.net Telephone - 0845 004 3923 IAXtel - 700-168-0333 FWD - 72453 Full Online Support Tracking at - http://support.damosoft.net |