Loading...
 

 Note

This page is to document "what Tiki should do". For feature documentation (what Tiki does), please see corresponding page on doc site
Intrusions, site breakage, lost data Features »  Security Type of page »  Feature page Type of page »  Developers documentation

Security

Disclose a Security Vulnerability

Please contact the security team with full details of any security vulnerability you may discover. Please be sure to include instructions for how we can contact you for follow up.

We encourage you to use the Tiki Wiki CMS Groupware Release/Security Team PGP/GPG key to encrypt your report to us.

pub   4096R/0xBC50FC18256C3F93 2012-06-27
Key fingerprint = 6F76 39C9 6C8A 12D7 8F12  89A0 BC50 FC18 256C 3F93
uid   Tiki Wiki CMS Groupware Release/Security Team (http://security.tikiwiki.org/) <security@tikiwiki.org>

If you have time, please also report the vulnerability using the Tiki bug tracking system, using the category "security," but without detailing the vulnerability, so that it cannot be exploited.

Please also see:

Open

 Submitted byRatingSubjectCategoryPriorityImportanceEasy to solve?Volunteered to solveLastModifComs
openMarc Laporte -2 -1 1 2 (0) Help onclick, onmouseover, etc. cause the in preview, and preview diffBug: conflict of two features (each works well independently)6
6
1 difficult
 
2013-10-280
open -2 -1 1 2 (0) Help Redirect plugin: add wiki= so we can use this plugin without a validation at each pageFeature request
Less than 30-minute fix
48
6
8
 
2010-01-150
openMarc Laporte -2 -1 1 2 (0) Help PHPIDS (PHP-Intrusion Detection System) Feature request45
9
5
 
2013-10-280
openMarc Laporte -2 -1 1 2 (0) Help Review .htaccess from HTML5 Boilerplate for security and performanceFeature request36
6
6
 
2013-11-230
openMarc Laporte -2 -1 1 2 (0) Help "protect all sessions" conflicts other https preferencesBug: conflict of two features (each works well independently)35
7
5
 
2013-10-280
openFrank Guthausen -2 -1 1 2 (0) Help OpenPGP support for emails to usersFeature request35
7
5
 
2013-10-282
fmg-01 Oct 12
openMarc Laporte -2 -1 1 2 (0) Help Smarter handling of HTTPS/SSL for included elements that are in HTTP (especially JavaScript)Bug: conflict of two features (each works well independently)35
7
5
k
2013-10-285
marclaporte-09 Mar 13
openGergely -2 -1 1 2 (0) Help 9.1, trackers, security: hidden user selector type field keeps listing all the users as optionsBug: Usability35
7
5
 
2013-10-280
openMarc Laporte -2 -1 1 2 (0) Help Add a virtual keyboardFeature request32
4
8
 
2014-01-300
openAmirSharif -2 -1 1 2 (0) Help Adding some Tiki built-in login authentication methodsFeature request10
10 high
1 difficult
 
2013-10-201
marclaporte-27 Nov 13
openMarc Laporte -2 -1 1 2 (0) Help Setting admin password in the installer, with option to force change at first loginFeature request0
6
 
 
2013-11-250
openJenser -2 -1 1 2 (0) Help "Ignore individual object permissions" not working for Lucene EngineBug: Error0
7
 
 
2013-06-050
openJan Krohn -2 -1 1 2 (0) Help No spam protection for shoutbox usersBug: Usability
7
 
 
2009-10-290
open -2 -1 1 2 (0) Help Security issue in a moduleBug: Error
7
 
 
2008-12-120
openmikespub -2 -1 1 2 (0) Help Login at workflow.tw.o and info.tw.o fails with XMLRPC Error: 5Bug: Error
Dogfood on a *.tiki.org site
 
 
 
2008-12-210
openRiSK -2 -1 1 2 (0) Help Add "tiki_p_admin_structures" permissionBug: Usability
Feature request
6
 
 
2010-04-070
openmizraith -2 -1 1 2 (0) Help Logout fails to work when web authorization is selectedBug: Usability
5
 
mizraith
2009-04-080
openmizraith -2 -1 1 2 (0) Help Web Auth Needs Some Fine TuningBug: Usability
Feature request
Bug: conflict of two features (each works well independently)
7
 
mizraith
2009-04-080
openmizraith -2 -1 1 2 (0) Help Enhancement: Use .htpasswd / .htgroup for user access & controlFeature request
5
 
 
2009-04-251
marclaporte-23 Sep 13
open -2 -1 1 2 (0) Help Fatal error: Call to undefined TikiDb_Adodb::setAttribute() in ..\lib\tikisession-pdo.php on line 18Bug: Error
6
 
 
2009-11-175
trebly-07 Feb 10
openPeder Kittelson -2 -1 1 2 (0) Help ssl_error_rx_record_too_long when using "Require Secure (HTTPS) login" (CPANEL self-signed cert.)Bug: Error
Bug: Usability
1 low
 
 
2010-03-150
openBernard TREMBLAY -2 -1 1 2 (0) Help Take in account the Apache option "AccessFileName" Feature request
3
 
 
2010-08-050
openGergely -2 -1 1 2 (0) Help Plugin validation does not work, TW50B1Bug: Error
Bug: Usability
Bug: Regression
7
 
 
2010-12-221
Gergely-16 Aug 10
openhuogas -2 -1 1 2 (0) Help Errors when trying to change access rightsBug: Error
7
 
Philippe Cloutier
2010-09-280
openSteve -2 -1 1 2 (0) Help Social networking complicationsBug: Usability
7
 
 
2010-11-182
Vranicoff-30 Dec 10
openGergely -2 -1 1 2 (0) Help anti hammering is a nice security feature against floodingFeature request
Documentation (or Advocacy)
 
 
 
2010-12-120
openGergely -2 -1 1 2 (0) Help default tiki setup vulnarable to subfolder linksBug: Error
7
 
 
2010-12-131
Gergely-18 Jan 11
openmoretolearn -2 -1 1 2 (0) Help Tiki 6.1 and later do not work under IIS 6, while 6.0 didBug: Error
Bug: Regression
Bug: Consistency
Less than 30-minute fix
7
 
 
2011-10-086
olibird-13 Apr 11
openedwinbennink -2 -1 1 2 (0) Help Registration vulnerabilitySupport request
7
 
 
2012-06-080
openwu-lee -2 -1 1 2 (0) Help temp/.htaccess breaks antibot image servingBug: Error
Bug: Usability
Bug: Regression
Less than 30-minute fix
9 high
10 easy
 
2012-08-161
fmg-24 Oct 12
openMarc Laporte -2 -1 1 2 (0) Help jCapture doesn't work via SSL when SSL is not valid (rest of Tiki is OK)Bug: conflict of two features (each works well independently)
2
2
 
2013-12-030
openXavi -2 -1 1 2 (1) Help Enhance mail deliveryBug: Usability
8
5
 
2014-02-060
openXavi -2 -1 1 2 (1) Help ValidationBug: Usability
8
3
 
2014-02-100

Pending

 Submitted byRatingSubjectCategoryPriorityImportanceEasy to solve?Volunteered to solveLastModifComs
pendingpeter5 -2 -1 1 2 (0) Help Upgrade to rel 4 : No permissions for user "admin"Bug: Regression
Less than 30-minute fix
72
9 high
8
 
2010-01-153
plugmusc-17 Jan 11
pendingnoumenon -2 -1 1 2 (0) Help CLI search index maintenance conflicts with "Protect all sessions with HTTPS"Bug: conflict of two features (each works well independently)
Less than 30-minute fix
Indexing
70
7
10 easy
 
2013-11-043
marclaporte-05 Nov 13
pendingalain_desilets -2 -1 1 2 (0) Help Lost changes when you mistype antibot codeBug: Error60
10 high
6
manivannans
2013-12-022
jonnybradley-19 May 14
pendingalain_desilets -2 -1 1 2 (0) Help Approving a user logs the admin as that userBug: Regression50
10 high
5
manivannans
2013-11-291
alain_desilets-09 Dec 13
pendingukoegler -2 -1 1 2 (0) Help Password will not be accepted when using @ > or < in the password string (with or without LDAP)Bug: Usability
Bug: Regression
30
10 high
3
 
2014-09-306
marclaporte-03 Nov 13
pendingFlorian Gleixner -2 -1 1 2 (0) Help Trackback pings should not use fopen to open urls.Bug: Error
3
 
 
2008-04-041
mrisch-03 Feb 08
pendingBernhard Scholz -2 -1 1 2 (0) Help Image attachements are not saved uniqueBug: Error
Bug: Usability
5
 
 
2007-06-035
mccabem-29 Apr 08
pendingdknudson -2 -1 1 2 (0) Help Security bug which bypasses directory site validation.Bug: Error
5
 
 
2008-02-030
pendingWoG -2 -1 1 2 (0) Help wiki-edit: footnotes allows htmlBug: Error
3
 
 
2008-02-031
marclaporte-03 Feb 08
pendingkern -2 -1 1 2 (0) Help dynamic contents in userdefined modules crashes tiki
3
 
 
2007-07-100
pendingXavi -2 -1 1 2 (0) Help Warning: is_dir(): Stat failed for ./img/wiki_up/tiki1/... intiki-admin_security.php?check_filesBug: Usability
6
 
 
2006-09-060
pending -2 -1 1 2 (0) Help Built it TPL editor removes Javascript from the TemplatesBug: Usability
Feature request
3
 
nyloth
2008-10-143
marclaporte-06 Dec 07
pendingMarc Laporte -2 -1 1 2 (0) Help Path disclosure bug in trackersBug: Error
2
 
 
2007-06-120
pendingalexr -2 -1 1 2 (0) Help binddb and bindpw not used when binding to LDAPBug: Error
Patch
5
 
 
2010-10-082
Chealer9-08 Oct 10
pendingMarc Laporte -2 -1 1 2 (0) Help Secdb for all files (not just php)Feature request
5
 
 
2007-11-241
marclaporte-27 Sep 12
pendingMarc Laporte -2 -1 1 2 (0) Help Trackers: ratings fake vote by URLBug: Error
Dogfood on a *.tiki.org site
3
 
 
2007-12-070
pendingorkz -2 -1 1 2 (0) Help Registration Page does not display and password suggestion does not consider security settings.Bug: Usability
Feature request
6
 
 
2008-02-032
horizon-06 Apr 08
pendingMarc Laporte -2 -1 1 2 (0) Help Easy way to deal with SSL when using external images or scriptsFeature request
1 low
 
 
2012-10-020
pendingMarc Laporte -2 -1 1 2 (0) Help Security DB and mods don't work together Bug: Usability
Feature request
1 low
 
 
2008-02-220
pendingMarc Laporte -2 -1 1 2 (0) Help File gallery: Virus checkerFeature request
1 low
 
 
2008-10-141
marclaporte-01 Dec 13
pendingMarc Laporte -2 -1 1 2 (0) Help Instantaneous visual feedback of password strengthFeature request
3
 
Rick
2008-08-290
pendingmrisch -2 -1 1 2 (0) Help User Information Page shows non-public wiki page titlesBug: Error
7
 
 
2008-07-241
SiL3NC3-18 Jun 11
pendingglan -2 -1 1 2 (0) Help security issue: login issueBug: Error
8
 
 
2012-05-200

Closed

 Submitted byRatingSubject CategoryPriorityImportanceEasy to solve?Volunteered to solveLastModifComs
closedEgiX -2 -1 1 2 (0) Help Critical security vulnerability
9 high
 
 
2012-05-200
closedMarc Laporte -2 -1 1 2 (0) Help 12.x to 13.x upgrade: "Plugin execution pending approval" on http://doc.tiki.org/MenuDogfood on a *.tiki.org site49
7
7
Jonny Bradley
2014-07-290
closedEd -2 -1 1 2 (0) Help Add New User - Gen Password - Validate By Email is Broken in 4.1 and 4.2Bug: Error
Bug: Usability
Bug: Regression
Bug: Consistency
9 high
 
 
2010-04-020
closedMarc Laporte -2 -1 1 2 (0) Help Authenticated RSSFeature request
5
 
 
2009-06-012
marclaporte-02 Jun 09
closedMarc Laporte -2 -1 1 2 (0) Help Automatic SVN commit of secdb and syncdbCommunity projects
5
 
 
2012-09-271
marclaporte-27 Sep 12
closedXavi -2 -1 1 2 (0) Help Banning users ( tiki-admin_banning.php ) doesn't work for me at doc.tw.oBug: Usability
6
 
luciash d' being
2010-03-311
luci-21 Jun 07
closedMarc Laporte -2 -1 1 2 (0) Help Better protection against accidental site breakage with improper use of code in modules + template Bug: Error
Bug: Usability
Feature request
4
 
 
2009-01-306
marclaporte-30 Jan 09
closedGeoff Brickell -2 -1 1 2 (0) Help Categorisation permission issue with Calendars and TrackersBug: Error
Bug: Consistency
0
9
 
 
2013-06-061
marclaporte-27 Dec 09
closed -2 -1 1 2 (0) Help Change Crypt passwords methodFeature request
4
 
 
2008-08-180
closed -2 -1 1 2 (0) Help CVE-2006-6457 tikiwiki vulnerableBug: Error
Support request
 
 
 
2007-06-121
marclaporte-12 Jun 07
closedXavi -2 -1 1 2 (0) Help false positive at tikiwiki security error report Bug: Usability
Dogfood on a *.tiki.org site
4
 
 
2013-01-100
closedmr_teatime -2 -1 1 2 (0) Help Forum security issue: Ref: H56Bug: Error
7
 
Nelson
2007-10-130
closedMarc Laporte -2 -1 1 2 (0) Help HTMLpurifier no longer permits to use Paypal buttons (starting in Tiki4)Bug: Regression
Bug: conflict of two features (each works well independently)
8
 
 
2013-03-213
marclaporte-27 Feb 10
closedMarc Laporte -2 -1 1 2 (0) Help image gallery: sort_mode=filesize causes mysql error and path disclosureBug: Error
5
 
luciash d' being
2008-03-060
closedjcarter -2 -1 1 2 (0) Help LDAP Admin Password Stored as Plain Text In System LogsLess than 30-minute fix45
9 high
5
 
2012-06-081
jcarter-14 May 12
closedmrisch -2 -1 1 2 (0) Help mail-in provides no securityBug: Error0
4
 
 
2013-06-143
SEWilco-26 Nov 08
closedsjfoster -2 -1 1 2 (0) Help Modules do not work when called from within wiki pagesBug: Error
8
 
 
2010-01-153
sjfoster-15 Jan 10
closedSEWilco -2 -1 1 2 (0) Help Multimedia Flash unusable due to XSS protectionBug: Error
Bug: Usability
Bug: Regression
9 high
 
 
2009-04-103
SEWilco-24 Nov 08
closedMarc Laporte -2 -1 1 2 (0) Help My site totally dead: Warning: ini_set() has been disabled for security reasonsBug: Error
7
 
 
2009-04-283
bobcatt-15 Oct 07
closedalain_desilets -2 -1 1 2 (0) Help Need stronger CAPTCHAFeature request
7
 
 
2012-03-291
SEWilco-12 Feb 09
closedalain_desilets -2 -1 1 2 (0) Help Need to restart browser after accessing a closed siteBug: Error50
10 high
5
manivannans
2013-10-290
closedasidhu -2 -1 1 2 (0) Help No access permission on articles----articles accessible by articleID for any groupFeature request
 
 
 
2007-12-052
asidhu-17 Jan 07
closedMarc Laporte -2 -1 1 2 (0) Help Optional disabling on javascript stripping protectionFeature request
Dogfood on a *.tiki.org site
6
 
Louis-Philippe Huberdeau
2010-01-150
closedMarc Laporte -2 -1 1 2 (0) Help Password managerFeature request
Dogfood on a *.tiki.org site
0
6
 
 
2013-06-051
carsten.aevermann-08 Aug 10
closedXavi -2 -1 1 2 (0) Help Password shown in clear under some circumstancesFeature request25
5
5
 
2013-12-040
closedEgiX -2 -1 1 2 (0) Help PHP Code Injection Vulnerability
9 high
 
 
2012-05-200
closedMarc Laporte -2 -1 1 2 (0) Help Plugin html should have security, and pass code exactly as isFeature request0
6
 
 
2013-06-050
closedXavi -2 -1 1 2 (0) Help Plugin VIMEO needed to be rewritten to vimeo to prevent < x> to show up in the url param at edition timeBug: Regression25
5
5
Jonny Bradley
2013-11-223
jonnybradley-21 Oct 13
closedMarc Laporte -2 -1 1 2 (0) Help PluginMediaPlayer should use own copy of flash file and not call the web (added to composer)Bug: Consistency54
6
9
manivannans
2013-11-032
daniam-26 Oct 13
closedMarc Laporte -2 -1 1 2 (0) Help Plugins admin interface to activate/deactivate pluginsFeature request
9 high
 
Louis-Philippe Huberdeau
2009-03-010
closedXavi -2 -1 1 2 (0) Help potential security hole related to managing usersBug: Usability
Support request
9 high
 
 
2010-03-310
closedjoon2g -2 -1 1 2 (0) Help Profiles Repository URLs Are Not Connect Bug: Usability
Support request
0
7
 
 
2014-04-280
closedMarc Laporte -2 -1 1 2 (0) Help Restrict possible characters in usernamesBug: Error
Bug: Usability
Feature request
3
 
 
2009-03-030
closedMarc Laporte -2 -1 1 2 (0) Help Secdb automatic check with cron jobFeature request
5
 
Louis-Philippe Huberdeau
2009-04-101
kerrnel22-12 Dec 07
closedDanny Staple -2 -1 1 2 (0) Help Security:Active XSS in URI allows remote exploitation of user browserBug: Error
8
 
 
2009-04-170
closedXavi -2 -1 1 2 (0) Help site based on 2.2 + tikipedia attacked at tiki-browse_image.php from galleriesBug: Usability
Dogfood on a *.tiki.org site
9 high
 
 
2009-04-181
chibaguy-19 Apr 09
closedleagris -2 -1 1 2 (0) Help smarty_security and tiki_cdn cause Icons missing when using own content delivery networkPatch
Bug: conflict of two features (each works well independently)
50
5
10 easy
 
2013-11-214
marclaporte-21 Oct 13
closedArnaud HERVE -2 -1 1 2 (0) Help styles/transitions/2.1to3.0.css file vandalized
8
 
 
2010-01-141
marclaporte-14 Jan 10
closedwalklife -2 -1 1 2 (0) Help tiki_p_search makes users "admin"Bug: Error
Bug: Consistency
8
 
 
2008-04-013
snarlydwarf-01 Apr 08
closednikhilodeon -2 -1 1 2 (0) Help TikiWiki 2.0: Odd Tags get Inserted into HTML CodeBug: Error
Bug: Usability
Bug: Consistency
 
 
 
2008-08-130
closednikhilodeon -2 -1 1 2 (0) Help TikiWiki 2.0: SearchBox Not Displaying for Anonymous UsersBug: Usability
Support request
7
 
nikhilodeon
2008-09-040
closedauditor -2 -1 1 2 (0) Help tikiwiki version 1.9.5 (CVS) -Sirius- mysql password disclosure & xssBug: Error
9 high
 
Oliver Hertel
2006-11-010
closedpagdev -2 -1 1 2 (0) Help topic permissions not working in tiki-list_articles.phpBug: Error
Patch
Support request
6
 
 
2008-11-170
closedDesertWolf -2 -1 1 2 (0) Help URL_ID replaced in a linkBug: Error
Bug: Usability
4
&nbsp;
&nbsp;
2009-09-131
DesertWolf-22 Oct 08
closedRegan


-2

-1

1

2



(0)

Help

Using preg_replace with /e modifierBug: Error
Feature request
Patch
&nbsp;
&nbsp;
&nbsp;
2010-01-284
Chealer9-28 Jan 10
closedOnnoPaap


-2

-1

1

2



(0)

Help

Vulnerability in registrating
9 high
&nbsp;
OnnoPaap
2007-10-141
marclaporte-02 Jun 07
closedxen


-2

-1

1

2



(0)

Help

webdav
&nbsp;
&nbsp;
&nbsp;
2012-02-272
marclaporte-27 Feb 12
closedMarc Laporte


-2

-1

1

2



(0)

Help

Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)Bug: Error
6
&nbsp;
&nbsp;
2007-08-301
marclaporte-18 Aug 07
closedMarc Laporte


-2

-1

1

2



(0)

Help

Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)Bug: Error
6
&nbsp;
SEWilco
2008-10-148
SEWilco-16 Sep 08
closedFortify


-2

-1

1

2



(0)

Help

XSS vulnerability issue B96Bug: Error
9 high
&nbsp;
&nbsp;
2008-02-260
~/np~

Search Wishes (subject only) [Toggle]

Keywords [Toggle]

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting 7.x
Administration
Ajax 2.x
Articles & Submissions
Backlinks
Banner
Batch 6.x
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution 2.x
Cookie
Copyright
Credits 6.x
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
DogFood
Draw 7.x
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Group
Help
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping 3.x
Mobile Tiki and Voice Tiki
Mods
Module
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Organic Groups (Self-managed Teams)
Payment 5.x
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Report
Score
Search engine optimization (SEO)
Search
Security
Semantic links 3.x
Shopping Cart 5.x
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tags 2.x
Task
Tell a Friend, alert + Social Bookmarking
Terms and Conditions
Theme
TikiTests 2.x
Timesheet
Toolbar (Quicktags)
Trackers
TRIM
User Administration
User Files
User Menu
Watch
WebHelp
Webmail and Groupmail
WebServices 3.x
Wiki 3D
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives 4.x
WYSIWTSN 4.x
WYSIWYCA
WYSIWYG 2.x
XMLRPC




Useful Tools [Toggle]