Joined: 25 Feb 2003
Location: Essen, Germany
|Posted: Sun Jan 30, 2005 9:31 am Post subject: [ GLSA 200501-41 ] TikiWiki: Arbitrary command execution
|Gentoo Linux Security Advisory
Title: TikiWiki: Arbitrary command execution (GLSA 200501-41)
Date: January 30, 2005
Updated: May 22, 2006
A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts.
TikiWiki is a web-based groupware and content management system (CMS), using PHP, ADOdb and Smarty.
Vulnerable: < 1.8.5
Unaffected: >= 1.8.5
Architectures: All supported architectures
TikiWiki does not validate files uploaded to the "temp" directory.
A malicious user could run arbitrary commands on the server by uploading and calling a PHP script.
There is no known workaround at this time.
All TikiWiki users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5"
Last edited by GLSA on Mon May 22, 2006 4:18 am; edited 2 times in total