Greets, this is a high priority, urgent notice that affects all admins
regarding all versions of TikiWiki.
We (security@...) have been informed of several flaws which allow the
execution of .php code from the $tikiroot/temp/ folder. This is being
used in conjunction with a php script that basically gives the
"attacker" a ssh like control of the server and run do anything as the
apache user. It is very similar to that describe in tikiwiki.org/art97
We already know that this has killed one server, resulting in it
requiring a complete re-format and re-install. Dont let it be yours!
Please check your temp/ folder for any suspicious files and delete them,
if you want to send samples, please forward them to security @ tw.o
(tw.o is tikiwiki.org ;) ) We know these files have been called lol.php,
gif.php, phpshell.php, shell.php
This affects all TikiWiki releases;
* If your using 1.8.x you can grab the latest tarball from
de.tikiwiki.org, or cvs update to BRANCH-1-8
* If your using any version of 1.9, you must upgrade to CVS BRANCH-1-9
or again, download the tarball from de.tikiwiki.org
* If your on 1.7.X upgrade to 1.8
And also add a .htaccess or block via Apache Virtual Host the temp/ in
the same way as described in tikiwiki.org/art97
Official SourceForge based releases of 1.8.5 and 1.9 DR4 will be
released as soon as possible.
As always we are living in IRC at irc.tikiwiki.org / #tikiwiki you can
see http://tikiwiki.org/ConnectingToIRC for connection details everyone
!! Please protect your Tiki, and please pass on the word to anyone you
know with a Tiki. !!
Expect more updates as the weekend progresses, we are running a full
review of the code, when the final releases are made, please again
upgrade to those releases or cvs update again.
http://www.damosoft.co.uk / http://tikihost.net
Telephone - 0845 004 3923 IAXtel - 700-168-0333 FWD - 72453
Full Online Support Tracking at - http://support.damosoft.net