Fullscreen
[Show/Hide Right Column]

Close
noteNote
This page is to document "what Tiki should do". For feature documentation (what Tiki does), please see corresponding page on doc site
Intrusions, site breakage, lost data Features »  Security Type of page »  Feature page Type of page »  Developers documentation
Print

Security

Disclose a vulnerability
To allow us time to patch the system, please report the vulnerability using the bug tracking system using the category "security" but without detailing the vulnerability so it cannot be exploited AND please contact the security team with full details and we'll deal with your input.


Please see http://security.tiki.org

Table of contents

Open

 RatingSubjectImportanceCategoryCreated
open -2 -1 0 1 2 (1) Help LDAP Admin Password Stored as Plain Text In System Logs9 highProblem
Less than 30-minute fix		2012-05
open -2 -1 0 1 2 (0) Help HTMLpurifier no longer permits to use Paypal buttons (starting in Tiki4)8Bug: Regression
Bug: conflict of two features (each works well independently)		2010-01
open -2 -1 0 1 2 (2) Help User Information Page shows non-public wiki page titles7Bug: Error2008-07
open -2 -1 0 1 2 (0) Help No spam protection for shoutbox users7Bug: Usability2008-06
open -2 -1 0 1 2 (0) Help Security issue in a module7Bug: Error2008-12
open -2 -1 0 1 2 (1) Help Web Auth Needs Some Fine Tuning7Bug: Usability
Feature request
Bug: conflict of two features (each works well independently)		2009-04
open -2 -1 0 1 2 (1) Help Profiles Repository URLs Are Not Connect 7Bug: Usability
Support request		2009-11
open -2 -1 0 1 2 (1) Help Plugin validation does not work, TW50B17Bug: Error
Bug: Usability
Bug: Regression		2010-08
open -2 -1 0 1 2 (0) Help Errors when trying to change access rights7Bug: Error
Problem		2010-09
open -2 -1 0 1 2 (2) Help Social networking complications7Bug: Usability2010-11
open -2 -1 0 1 2 (1) Help default tiki setup vulnarable to subfolder links7Bug: Error2010-12
open -2 -1 0 1 2 (0) Help Tiki 6.1 and later do not work under IIS 6, while 6.0 did7Bug: Error
Bug: Regression
Bug: Consistency
Less than 30-minute fix		2011-02
open -2 -1 0 1 2 (0) Help "protect all sessions" conflicts other https preferences7Bug: conflict of two features (each works well independently)2012-02
open -2 -1 0 1 2 (1) Help "Ignore individual object permissions" not working for Lucene Engine7Problem2012-03
open -2 -1 0 1 2 (1) Help Warning: is_dir(): Stat failed for ./img/wiki_up/tiki1/... intiki-admin_security.php?check_files6Bug: Usability2006-09
open -2 -1 0 1 2 (2) Help Registration Page does not display and password suggestion does not consider security settings.6Bug: Usability
Feature request		2008-01
open -2 -1 0 1 2 (2) Help Add "tiki_p_admin_structures" permission6Bug: Usability
Feature request		2009-04
open -2 -1 0 1 2 (0) Help Setting admin password in the installer, with option to force change at first login6Feature request2009-05
open -2 -1 0 1 2 (1) Help Redirect plugin: add wiki= so we can use this plugin without a validation at each page6Feature request
Less than 30-minute fix		2009-08
open -2 -1 0 1 2 (1) Help Fatal error: Call to undefined TikiDb_Adodb::setAttribute() in ..\lib\tikisession-pdo.php on line 186Bug: Error2009-11
open -2 -1 0 1 2 (2) Help Image attachements are not saved unique5Bug: Error
Bug: Usability		2006-04
open -2 -1 0 1 2 (0) Help Security bug which bypasses directory site validation.5Bug: Error2006-07
open -2 -1 0 1 2 (1) Help Secdb for all files (not just php)5Feature request2007-11
open -2 -1 0 1 2 (0) Help Automatic SVN commit of secdb and syncdb5Community projects2008-04
open -2 -1 0 1 2 (0) Help Logout fails to work when web authorization is selected5Bug: Usability2009-04
open -2 -1 0 1 2 (0) Help Enhancement: Use .htpasswd / .htgroup for user access & control5Feature request2009-04
open -2 -1 0 1 2 (3) Help mail-in provides no security4Bug: Error2006-05
open -2 -1 0 1 2 (1) Help false positive at tikiwiki security error report 4Bug: Usability
Dogfood on a *.tiki.org site		2009-02
open -2 -1 0 1 2 (0) Help Add a virtual keyboard4Feature request2012-01
open -2 -1 0 1 2 (0) Help Trackback pings should not use fopen to open urls.3Bug: Error2005-05
open -2 -1 0 1 2 (1) Help wiki-edit: footnotes allows html3Bug: Error2006-08
open -2 -1 0 1 2 (0) Help dynamic contents in userdefined modules crashes tiki32006-08
open -2 -1 0 1 2 (1) Help Trackers: ratings fake vote by URL3Bug: Error
Dogfood on a *.tiki.org site		2007-12
open -2 -1 0 1 2 (0) Help Take in account the Apache option "AccessFileName" 3Feature request2010-08
open -2 -1 0 1 2 (1) Help Path disclosure bug in trackers2Bug: Error2007-06
open -2 -1 0 1 2 (1) Help Easy way to deal with SSL when using external images or scripts1 lowFeature request2008-02
open -2 -1 0 1 2 (0) Help Security DB and mods don't work together 1 lowBug: Usability
Feature request		2008-02
open -2 -1 0 1 2 (1) Help File gallery: Virus checker1 lowFeature request2008-04
open -2 -1 0 1 2 (0) Help ssl_error_rx_record_too_long when using "Require Secure (HTTPS) login" (CPANEL self-signed cert.)1 lowBug: Error
Bug: Usability		2010-03
open -2 -1 0 1 2 (0) Help Login at workflow.tw.o and info.tw.o fails with XMLRPC Error: 5Bug: Error
Dogfood on a *.tiki.org site		2008-12
open -2 -1 0 1 2 (2) Help anti hammering is a nice security feature against floodingFeature request
Documentation (or Advocacy)		2010-12

Pending

 RatingSubjectImportanceCategoryCreated
pending -2 -1 0 1 2 (3) Help Categorisation permission issue with Calendars and Trackers9 highBug: Error
Bug: Consistency		2009-02
pending -2 -1 0 1 2 (0) Help Upgrade to rel 4 : No permissions for user "admin"9 highBug: Regression
Less than 30-minute fix		2010-01
pending -2 -1 0 1 2 (1) Help security issue: login issue8Bug: Error2009-03
pending -2 -1 0 1 2 (2) Help binddb and bindpw not used when binding to LDAP5Bug: Error
Patch		2007-10
pending -2 -1 0 1 2 (2) Help Built it TPL editor removes Javascript from the Templates3Bug: Usability
Feature request		2005-04
pending -2 -1 0 1 2 (0) Help Instantaneous visual feedback of password strength3Feature request2008-06
pending -2 -1 0 1 2 (1) Help Security problem with sophisticated google hack on local.php (how to clean up after an intrusion)22007-11

Closed

 RatingSubjectImportanceCategoryCreated
closed -2 -1 0 1 2 (1) Help Plugins admin interface to activate/deactivate plugins9 highFeature request2006-02
closed -2 -1 0 1 2 (1) Help tikiwiki version 1.9.5 (CVS) -Sirius- mysql password disclosure & xss9 highBug: Error2006-11
closed -2 -1 0 1 2 (0) Help Vulnerability in registrating9 high2007-01
closed -2 -1 0 1 2 (1) Help XSS vulnerability issue B969 highBug: Error2008-01
closed -2 -1 0 1 2 (2) Help Multimedia Flash unusable due to XSS protection9 highBug: Error
Bug: Usability
Bug: Regression		2008-10
closed -2 -1 0 1 2 (2) Help site based on 2.2 + tikipedia attacked at tiki-browse_image.php from galleries9 highBug: Usability
Dogfood on a *.tiki.org site		2009-02
closed -2 -1 0 1 2 (1) Help potential security hole related to managing users9 highBug: Usability
Support request		2009-11
closed -2 -1 0 1 2 (1) Help Add New User - Gen Password - Validate By Email is Broken in 4.1 and 4.29 highBug: Error
Bug: Usability
Bug: Regression
Bug: Consistency		2010-03
closed -2 -1 0 1 2 (0) Help PHP Code Injection Vulnerability9 high2011-11
closed -2 -1 0 1 2 (0) Help Critical security vulnerability9 high2012-01
closed -2 -1 0 1 2 (0) Help tiki_p_search makes users "admin"8Bug: Error
Bug: Consistency		2008-03
closed -2 -1 0 1 2 (0) Help Security:Active XSS in URI allows remote exploitation of user browser8Bug: Error2009-03
closed -2 -1 0 1 2 (0) Help styles/transitions/2.1to3.0.css file vandalized82009-09
closed -2 -1 0 1 2 (1) Help Modules do not work when called from within wiki pages8Bug: Error2009-11
closed -2 -1 0 1 2 (0) Help My site totally dead: Warning: ini_set() has been disabled for security reasons7Bug: Error2007-06
closed -2 -1 0 1 2 (2) Help Forum security issue: Ref: H567Bug: Error2007-07
closed -2 -1 0 1 2 (3) Help Need stronger CAPTCHA7Feature request2008-06
closed -2 -1 0 1 2 (0) Help TikiWiki 2.0: SearchBox Not Displaying for Anonymous Users7Bug: Usability
Support request		2008-09
closed -2 -1 0 1 2 (2) Help Optional disabling on javascript stripping protection6Feature request
Dogfood on a *.tiki.org site		2006-07
closed -2 -1 0 1 2 (2) Help Banning users ( tiki-admin_banning.php ) doesn't work for me at doc.tw.o6Bug: Usability2007-06
closed -2 -1 0 1 2 (3) Help Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)6Bug: Error2007-06
closed -2 -1 0 1 2 (3) Help Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)6Bug: Error2007-08
closed -2 -1 0 1 2 (1) Help topic permissions not working in tiki-list_articles.php6Bug: Error
Patch
Support request		2008-11
closed -2 -1 0 1 2 (1) Help Plugin html should have security, and pass code exactly as is6Feature request
Request		2009-03
closed -2 -1 0 1 2 (1) Help Password manager6Feature request
Dogfood on a *.tiki.org site
Request		2009-07
closed -2 -1 0 1 2 (0) Help image gallery: sort_mode=filesize causes mysql error and path disclosure5Bug: Error2007-09
closed -2 -1 0 1 2 (1) Help Secdb automatic check with cron job5Feature request2007-09
closed -2 -1 0 1 2 (4) Help Authenticated RSS5Feature request2008-01
closed -2 -1 0 1 2 (2) Help Better protection against accidental site breakage with improper use of code in modules + template 4Bug: Error
Bug: Usability
Feature request		2007-04
closed -2 -1 0 1 2 (0) Help Change Crypt passwords method4Feature request2008-07
closed -2 -1 0 1 2 (0) Help URL_ID replaced in a link4Bug: Error
Bug: Usability		2008-10
closed -2 -1 0 1 2 (4) Help Restrict possible characters in usernames3Bug: Error
Bug: Usability
Feature request		2007-07
closed -2 -1 0 1 2 (0) Help No access permission on articles----articles accessible by articleID for any groupFeature request2007-01
closed -2 -1 0 1 2 (1) Help CVE-2006-6457 tikiwiki vulnerableBug: Error
Support request		2007-01
closed -2 -1 0 1 2 (0) Help TikiWiki 2.0: Odd Tags get Inserted into HTML CodeBug: Error
Bug: Usability
Bug: Consistency		2008-08
closed -2 -1 0 1 2 (0) Help Using preg_replace with /e modifierBug: Error
Feature request
Patch		2010-01
closed -2 -1 0 1 2 (0) Help webdav2012-01

Page last modified on Sunday 20 May, 2012 15:32:10 UTC

SourceHistoryComments

Search Wishes (subject only) [toggle]

Categorize Security

Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.