Fullscreen
Intrusions, site breakage, lost data
Print

Security

Disclose a vulnerability
To allow us time to patch the system, please report the vulnerability using the bug tracking system using the category "security" but without detailing the vulnerability so it cannot be exploited AND please contact the security squad with full details (external link) and we'll deal with your input.


Please see http://security.tikiwiki.org (external link)

Table of contents



Open

 RatingSubjectPriorityInvert SortReport typeVersionFeatureCreated
open - Categorisation permission issue with Calendars and Trackers9 highBug: Consistency
Bug: Error
2.xCalendar
Security
Trackers
2009-02
open2/2Add "tiki_p_admin_structures" permission9 highFeature request2.x
3.x
Permission
Security
Wiki Structure (book & table of content)
2009-04
open - security issue: login issue8Bug: Error2.xCookie
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Security
2009-03
open2/6RSS Calendar Security problem - anonymous users allowed access to secured calendar via RSS link7Calendar
Category
Group
RSS
Security
2007-10
open - No spam protection for shoutbox users7Bug: Usability1.9.xSecurity
Shoutbox
2008-06
open1/2Need stronger CapCha7Feature request2.xSecurity2008-06
open1/1User Information Page shows non-public wiki page titles7Bug: Error2.x
3.x
Permission
Security
Wiki (history, page rename, etc)
2008-07
open - Security issue in a module7Bug: Error2.xModules
Security
2008-12
open-2/-2Web Auth Needs Some Fine Tuning7Bug: conflict of two features (each works well independently)
Bug: Usability
Feature request
3.xSecurity
User Administration (Registration, Login & Banning)
2009-04
open2/2Banning users ( tiki-admin_banning.php ) doesn't work for me at doc.tw.o6Bug: Usability1.9.xSecurity
User Administration (Registration, Login & Banning)
2007-06
open2/4Registration Page does not display and password suggestion does not consider security settings.6Bug: Usability
Feature request
1.9.xSecurity
User Administration (Registration, Login & Banning)
2008-01
open - Setting admin password in the installer, with option to force change at first login6Feature request4.xInstaller (profiles, upgrades and server-related issues)
Security
TRIM
2009-05
open - Warning: is_dir(): Stat failed for ./img/wiki_up/tiki1/... intiki-admin_security.php?check_files6Bug: Usability2.x All / Undefined
Security
2006-09
open1/2binddb and bindpw not used when binding to LDAP5Bug: Error
Patch
1.9.xExternal Authentication (LDAP, AD, PAM, CAS, etc)
Security
User Administration (Registration, Login & Banning)
2007-10
open2/2Secdb for all files (not just php)5Feature request1.9.x
2.x
Administration
Installer (profiles, upgrades and server-related issues)
Security
2007-11
open - Automatic SVN commit of secdb and syncdb5Community projects2.xInstaller (profiles, upgrades and server-related issues)
Security
2008-04
open - Logout fails to work when web authorization is selected5Bug: Usability3.xSecurity2009-04
open - Enhancement: Use .htpasswd / .htgroup for user access & control5Feature request3.xSecurity
User Administration (Registration, Login & Banning)
2009-04
open1/1Image attachements are not saved unique5Bug: Error
Bug: Usability
1.8.x
1.9.x
Security
Wiki (history, page rename, etc)
2006-04
open - Security bug which bypasses directory site validation.5Bug: Error1.9.xDirectory (of hyperlinks)
Security
2006-07
open2/2false positive at tikiwiki security error report 4Bug: Usability2.x
Dogfood on a *.tikiwiki.org site
Security2009-02
open1/4mail-in provides no security4Bug: Error1.9.xArticle
Mail-in
Security
Wiki (history, page rename, etc)
2006-05
open1/1Trackers: ratings fake vote by URL3Bug: Error1.9.x
Dogfood on a *.tikiwiki.org site
Rating
Security
Trackers
2007-12
open - Trackback pings should not use fopen to open urls.3Bug: Error1.9.x
2.x
Blog
Security
XML RPC
2005-05
open1/1Category plugin lists objects even without perms3Bug: Security1.9.x
2.x
Category
Security
Wiki Plugin (extends basic syntax)
2008-01
open - wiki-edit: footnotes allows html3Bug: Error1.9.xSecurity
Wiki (history, page rename, etc)
2006-08
open - dynamic contents in userdefined modules crashes tiki31.9.xDynamic Content
Modules
Security
Wiki Syntax (text area, parser, external wiki, etc)
2006-08
open2/2Path disclosure bug in trackers2Bug: Error1.9.xSecurity
Trackers
2007-06
open1/1Easy way to deal with SSL when using external images or scripts1 lowFeature request2.xSecurity
Stats
2008-02
open - Security DB and mods don't work together 1 lowBug: Usability
Feature request
2.xMods
Security
2008-02
open2/2File gallery: Virus checker1 lowFeature request3.xFile Gallery
Security
2008-04
open - Login at workflow.tw.o and info.tw.o fails with XMLRPC Error: 5Bug: ErrorDogfood on a *.tikiwiki.org siteSecurity
XML RPC
2008-12
open2/2Plugin html should have security, and pass code exactly as isFeature request3.xSecurity
Wiki Plugin (extends basic syntax)
2009-03


Pending

 RatingSubjectPriorityInvert SortReport typeVersionFeatureCreated
pending2/4Optional disabling on javascript stripping protection6Feature request3.x
Dogfood on a *.tikiwiki.org site
All / Undefined
Permission
Security
Wiki Plugin (extends basic syntax)
Wiki Syntax (text area, parser, external wiki, etc)
2006-07
pending - Instantaneous visual feedback of password strength3Feature request2.xSecurity
User Administration (Registration, Login & Banning)
2008-06
pending - Built it TPL editor removes Javascript from the Templates3Bug: Usability
Feature request
2.xSecurity
Theme: Look & feel, Styles, CSS, Theme Control Center
2005-04
pending1/1Security problem with sophisticated google hack on local.php (how to clean up after an intrusion)2Installer (profiles, upgrades and server-related issues)
Security
2007-11


Closed (solved)

 RatingSubjectPriorityInvert SortReport typeVersionFeatureCreated
closed2/2XSS vulnerability issue B969 highBug: Error1.9.xSecurity2008-01
closed1/2Multimedia Flash unusable due to XSS protection9 highBug: Error
Bug: Regression
Bug: Usability
2.xMultimedia
Security
Wiki Syntax (text area, parser, external wiki, etc)
2008-10
closed2/4site based on 2.2 + tikipedia attacked at tiki-browse_image.php from galleries9 highBug: Usability2.x
Dogfood on a *.tikiwiki.org site
Image Gallery
Security
2009-02
closed2/2Plugins admin interface to activate/deactivate plugins9 highFeature request3.xAdministration
Security
Wiki Plugin (extends basic syntax)
WYSIWYCA (What You See is What You Can Access)
2006-02
closed - tikiwiki version 1.9.5 (CVS) -Sirius- mysql password disclosure & xss9 highBug: Error1.9.x
2.x
Security2006-11
closed - Vulnerability in registrating9 high1.9.xSecurity
User Administration (Registration, Login & Banning)
2007-01
closed - tiki_p_search makes users "admin"8Bug: Consistency
Bug: Error
2.xAdministration
Search
Security
User Administration (Registration, Login & Banning)
2008-03
closed - Security:Active XSS in URI allows remote exploitation of user browser8Bug: ErrorSecurity2009-03
closed - My site totally dead: Warning: ini_set() has been disabled for security reasons7Bug: Error1.9.xSecurity2007-06
closed2/3Forum security issue: Ref: H567Bug: Error1.9.xForum
Security
2007-07
closed - TikiWiki 2.0: SearchBox Not Displaying for Anonymous Users7Bug: Usability
Support request
2.xSearch
Security
2008-09
closed1/2Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)6Bug: Error1.9.xCache
Database MySQL
Security
Wiki (history, page rename, etc)
Wiki Plugin (extends basic syntax)
2007-06
closed2/6Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)6Bug: Error2.x
3.x
Article
Cache
Security
Trackers
Wiki (history, page rename, etc)
Wiki Plugin (extends basic syntax)
2007-08
closed2/2topic permissions not working in tiki-list_articles.php6Bug: Error
Patch
Support request
2.xArticle
Permission
Security
2008-11
closed - image gallery: sort_mode=filesize causes mysql error and path disclosure5Bug: Error1.9.x
2.x
Image Gallery
Security
2007-09
closed2/2Secdb automatic check with cron job5Feature request1.9.x
2.x
Administration
Installer (profiles, upgrades and server-related issues)
Security
TRIM
2007-09
closed1/4Authenticated RSS5Feature request2.x
3.x
Blog
RSS
Security
2008-01
closed2/4Better protection against accidental site breakage with improper use of code in modules + template 4Bug: Error
Bug: Usability
Feature request
1.9.xAdministration
Installer (profiles, upgrades and server-related issues)
Modules
Security
Site Identity
Templates (Smarty)
2007-04
closed - Change Crypt passwords method4Feature request2.x
3.x
Security
User Administration (Registration, Login & Banning)
2008-07
closed2/7Restrict possible characters in usernames3Bug: Error
Bug: Usability
Feature request
2.xSecurity
User Administration (Registration, Login & Banning)
2007-07
closed - CVE-2006-6457 tikiwiki vulnerableBug: Error
Support request
1.9.x All / Undefined
Security
2007-01
closed - TikiWiki 2.0: Odd Tags get Inserted into HTML CodeBug: Consistency
Bug: Error
Bug: Usability
2.xSecurity
Wiki Syntax (text area, parser, external wiki, etc)
2008-08
closed - Incorrect permission verification in tiki-upload_file.phpBug: Security3.xFile Gallery
Permission
Security
2009-06
closed - No access permission on articles----articles accessible by articleID for any groupFeature request1.9.xArticle
Security
2007-01


Contributors to this page: marclaporte21258 points  .
Page last modified on Wednesday 04 June, 2008 20:00:28 UTC by marclaporte21258 points .

To register

To have an account at this site, please register at Tikiwiki.org (external link), and then use that user name and password to log in here.

This site gets user information from Tikiwiki.org with the InterTiki feature.

Last Comments

  1. more information from sylvie
  2. can not reproduce
  3. i could repeat it
  4. fixed in 2.4 thanks!
  5. seems to work for me

Search a Wiki Page

Exact match

Search Tracker Items Subject

Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI – 508)
Action log 2.x
Administration
Ajax 2.x
Alert 3.x
Articles & Submissions
Backlinks
Backup
Banner
Blog
Bookmark
Browser Compatibility
Cache
Calendar
Category
Charts
Chat
Comment
Communication Center
Compression (gzip)
Consistency
Contacts Address book
Contact us
Content template
Contribution 2.x
Cookie
Copyright
Custom Home (and Group Home Page)
Database independence
Database MySQL
Date and Time
Debugger Console
Directory (of hyperlinks)
Documentation link from Tiki to doc.tikiwiki.org (Help System)
DogFood
Drawing
Dynamic Content
Dynamic Variable
Ephemeride
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Game
Gmap Google maps
Group
Help System
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interaction
Inter-User Messages
InterTiki
JS Calendar
Karma
Live Support
Lost edit protection
Magic 3.x
Mail-in
Map with Mapserver
Menu
Meta Tag
Missing features
MindMap 3.x
Mobile Tiki and Voice Tiki
Mods
Module
Mootools 2.x
Multimedia 2.x
MultiTiki
MyTiki
Newsletter
Newsreader
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
PDF
Performance Speed / Load
Permission
Poll
Profile Manager
Quicktags
Quiz
Rating
Registration
RSS
Score
Search engine optimization (SEO)
Search
Security
Semantic links
Shoutbox
Site Identity
Slideshow
Smarty Template
Smiley
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
System log
Tags 2.x
Task
Tell a Friend + Social Bookmarking 2.x
TikiTests 2.x
Theme
Trackers
Trackers (Mirror)
TRIM
User Administration
User Files
User Menu
Watch
WebHelp
Webmail and Groupmail
WebServices 3.x
Wiki 3D
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workflow (Galaxia Workflow engine)
Workspace
WYSIWYCA
WYSIWYG 2.x
XMLRPC