Loading...
 

 Note

This page is to document "what Tiki should do". For feature documentation (what Tiki does), please see corresponding page on doc site
Intrusions, site breakage, lost data Features »  Security Type of page »  Feature page Type of page »  Developers documentation

Security

Disclose a Security Vulnerability

Please contact the security team with full details of any security vulnerability you may discover. Please be sure to include instructions for how we can contact you for follow up.

We encourage you to use the Tiki Wiki CMS Groupware Release/Security Team PGP/GPG key to encrypt your report to us.

pub   4096R/0xBC50FC18256C3F93 2012-06-27
Key fingerprint = 6F76 39C9 6C8A 12D7 8F12  89A0 BC50 FC18 256C 3F93
uid   Tiki Wiki CMS Groupware Release/Security Team (http://security.tikiwiki.org/) <security@tikiwiki.org>

If you have time, please also report the vulnerability using the Tiki bug tracking system, using the category "security," but without detailing the vulnerability, so that it cannot be exploited.

Please also see:

Open

 RatingSubjectSubmitted byCategoryImportanceEasy to solve?PriorityVolunteered to solveLastModifComs
open -2 -1 1 2 (0) Help No spam protection for shoutbox usersJan KrohnBug: Usability
7
 
 
2009-10-290
open -2 -1 1 2 (0) Help Security issue in a moduleBug: Error
7
 
 
2008-12-120
open -2 -1 1 2 (0) Help Login at workflow.tw.o and info.tw.o fails with XMLRPC Error: 5mikespubBug: Error
Dogfood on a *.tiki.org site
 
 
 
2008-12-210
open -2 -1 1 2 (0) Help Logout fails to work when web authorization is selectedmizraithBug: Usability
5
 
mizraith
2009-04-080
open -2 -1 1 2 (0) Help Enhancement: Use .htpasswd / .htgroup for user access & controlmizraithFeature request
5
 
 
2009-04-251
marclaporte-23 Sep 13
open -2 -1 1 2 (0) Help ssl_error_rx_record_too_long when using "Require Secure (HTTPS) login" (CPANEL self-signed cert.)Peder KittelsonBug: Error
Bug: Usability
1 low
 
 
2010-03-150
open -2 -1 1 2 (0) Help Take in account the Apache option "AccessFileName" Bernard TREMBLAYFeature request
3
 
 
2010-08-050
open -2 -1 1 2 (0) Help Errors when trying to change access rightshuogasBug: Error
7
 
Chealer9
2010-09-280
open -2 -1 1 2 (0) Help Tiki 6.1 and later do not work under IIS 6, while 6.0 didmoretolearnBug: Error
Bug: Regression
Bug: Consistency
Less than 30-minute fix
7
 
 
2011-10-086
olibird-13 Apr 11
open -2 -1 1 2 (0) Help temp/.htaccess breaks antibot image servingwu-leeBug: Error
Bug: Usability
Bug: Regression
Less than 30-minute fix
9 high
10 easy
 
2012-08-161
fmg-24 Oct 12
open -2 -1 1 2 (0) Help jCapture doesn't work via SSL when SSL is not valid (rest of Tiki is OK)Marc LaporteBug: conflict of two features (each works well independently)
2
2
 
2013-12-030
open -2 -1 1 2 (1) Help Enhance mail deliveryXaviBug: Usability
8
5
 
2014-02-060
open -2 -1 1 2 (1) Help ValidationXaviBug: Usability
8
3
 
2014-02-100
open -2 -1 1 2 (0) Help Web Auth Needs Some Fine TuningmizraithBug: Usability
Feature request
Bug: conflict of two features (each works well independently)
7
 
mizraith
2009-04-080
open -2 -1 1 2 (0) Help anti hammering is a nice security feature against floodingGergelyFeature request
Documentation (or Advocacy)
 
 
 
2010-12-120
open -2 -1 1 2 (0) Help Redirect plugin: add wiki= so we can use this plugin without a validation at each pageFeature request
Less than 30-minute fix
6
8
48
 
2010-01-150
open -2 -1 1 2 (0) Help Add a virtual keyboardMarc LaporteFeature request
4
8
32
 
2014-01-300
open -2 -1 1 2 (0) Help "protect all sessions" conflicts other https preferencesMarc LaporteBug: conflict of two features (each works well independently)
7
5
35
 
2013-10-280
open -2 -1 1 2 (0) Help Registration vulnerabilityedwinbenninkSupport request
7
 
 
2012-06-080
open -2 -1 1 2 (0) Help OpenPGP support for emails to usersFrank GuthausenFeature request
7
5
35
 
2013-10-282
fmg-01 Oct 12
open -2 -1 1 2 (0) Help Smarter handling of HTTPS/SSL for included elements that are in HTTP (especially JavaScript)Marc LaporteBug: conflict of two features (each works well independently)
7
5
35
k
2013-10-285
marclaporte-09 Mar 13
open -2 -1 1 2 (0) Help 9.1, trackers, security: hidden user selector type field keeps listing all the users as optionsGergelyBug: Usability
7
5
35
 
2013-10-280
open -2 -1 1 2 (0) Help onclick, onmouseover, etc. cause the in preview, and preview diffMarc LaporteBug: conflict of two features (each works well independently)
6
1 difficult
6
 
2013-10-280
open -2 -1 1 2 (0) Help PHPIDS (PHP-Intrusion Detection System) Marc LaporteFeature request
9
5
45
 
2013-10-280
open -2 -1 1 2 (0) Help Adding some Tiki built-in login authentication methodsAmirSharifFeature request
10 high
1 difficult
10
 
2013-10-201
marclaporte-27 Nov 13
open -2 -1 1 2 (0) Help Setting admin password in the installer, with option to force change at first loginMarc LaporteFeature request
6
 
0
 
2013-11-250
open -2 -1 1 2 (0) Help Fatal error: Call to undefined TikiDb_Adodb::setAttribute() in ..\lib\tikisession-pdo.php on line 18Bug: Error
6
 
 
2009-11-175
trebly-07 Feb 10
open -2 -1 1 2 (0) Help Review .htaccess from HTML5 Boilerplate for security and performanceMarc LaporteFeature request
6
6
36
 
2013-11-230
open -2 -1 1 2 (0) Help "Ignore individual object permissions" not working for Lucene EngineJenserBug: Error
7
 
0
 
2013-06-050
open -2 -1 1 2 (0) Help Plugin validation does not work, TW50B1GergelyBug: Error
Bug: Usability
Bug: Regression
7
 
 
2010-12-221
Gergely-16 Aug 10
open -2 -1 1 2 (0) Help default tiki setup vulnarable to subfolder linksGergelyBug: Error
7
 
 
2010-12-131
Gergely-18 Jan 11
open -2 -1 1 2 (0) Help Social networking complicationsSteveBug: Usability
7
 
 
2010-11-182
Vranicoff-30 Dec 10
open -2 -1 1 2 (0) Help Add "tiki_p_admin_structures" permissionRiSKBug: Usability
Feature request
6
 
 
2010-04-070

Pending

 RatingSubjectSubmitted byCategoryImportanceEasy to solve?PriorityVolunteered to solveLastModifComs
pending -2 -1 1 2 (0) Help Upgrade to rel 4 : No permissions for user "admin"peter5Bug: Regression
Less than 30-minute fix
9 high
8
72
 
2010-01-153
plugmusc-17 Jan 11
pending -2 -1 1 2 (0) Help CLI search index maintenance conflicts with "Protect all sessions with HTTPS"noumenonBug: conflict of two features (each works well independently)
Less than 30-minute fix
Indexing
7
10 easy
70
 
2013-11-043
marclaporte-05 Nov 13
pending -2 -1 1 2 (0) Help Lost changes when you mistype antibot codealain_desiletsBug: Error
10 high
6
60
manivannans
2013-12-022
jonnybradley-19 May 14
pending -2 -1 1 2 (0) Help LDAP authentication with StartTLSjonthetechBug: Error
6
10 easy
60
 
2014-05-191
luci-19 May 14
pending -2 -1 1 2 (0) Help Approving a user logs the admin as that useralain_desiletsBug: Regression
10 high
5
50
manivannans
2013-11-291
alain_desilets-09 Dec 13
pending -2 -1 1 2 (0) Help 12.x to 13.x upgrade: "Plugin execution pending approval" on http://doc.tiki.org/MenuMarc LaporteDogfood on a *.tiki.org site
7
7
49
jonnybradley
2014-07-210
pending -2 -1 1 2 (0) Help Password will not be accepted when using @ > or < in the password string (with or without LDAP)ukoeglerBug: Usability
Bug: Regression
10 high
3
30
 
2013-11-036
marclaporte-03 Nov 13
pending -2 -1 1 2 (0) Help Trackback pings should not use fopen to open urls.Florian GleixnerBug: Error
3
 
 
2008-04-041
mrisch-03 Feb 08
pending -2 -1 1 2 (0) Help Image attachements are not saved uniqueBernhard ScholzBug: Error
Bug: Usability
5
 
 
2007-06-035
mccabem-29 Apr 08
pending -2 -1 1 2 (0) Help Security bug which bypasses directory site validation.dknudsonBug: Error
5
 
 
2008-02-030
pending -2 -1 1 2 (0) Help wiki-edit: footnotes allows htmlWoGBug: Error
3
 
 
2008-02-031
marclaporte-03 Feb 08
pending -2 -1 1 2 (0) Help dynamic contents in userdefined modules crashes tikikern
3
 
 
2007-07-100
pending -2 -1 1 2 (0) Help Warning: is_dir(): Stat failed for ./img/wiki_up/tiki1/... intiki-admin_security.php?check_filesXaviBug: Usability
6
 
 
2006-09-060
pending -2 -1 1 2 (0) Help Built it TPL editor removes Javascript from the TemplatesBug: Usability
Feature request
3
 
nyloth
2008-10-143
marclaporte-06 Dec 07
pending -2 -1 1 2 (0) Help Path disclosure bug in trackersMarc LaporteBug: Error
2
 
 
2007-06-120
pending -2 -1 1 2 (0) Help binddb and bindpw not used when binding to LDAPalexrBug: Error
Patch
5
 
 
2010-10-082
Chealer9-08 Oct 10
pending -2 -1 1 2 (0) Help Secdb for all files (not just php)Marc LaporteFeature request
5
 
 
2007-11-241
marclaporte-27 Sep 12
pending -2 -1 1 2 (0) Help Trackers: ratings fake vote by URLMarc LaporteBug: Error
Dogfood on a *.tiki.org site
3
 
 
2007-12-070
pending -2 -1 1 2 (0) Help Registration Page does not display and password suggestion does not consider security settings.orkzBug: Usability
Feature request
6
 
 
2008-02-032
horizon-06 Apr 08
pending -2 -1 1 2 (0) Help Easy way to deal with SSL when using external images or scriptsMarc LaporteFeature request
1 low
 
 
2012-10-020
pending -2 -1 1 2 (0) Help Security DB and mods don't work together Marc LaporteBug: Usability
Feature request
1 low
 
 
2008-02-220
pending -2 -1 1 2 (0) Help File gallery: Virus checkerMarc LaporteFeature request
1 low
 
 
2008-10-141
marclaporte-01 Dec 13
pending -2 -1 1 2 (0) Help Instantaneous visual feedback of password strengthMarc LaporteFeature request
3
 
ricks99
2008-08-290
pending -2 -1 1 2 (0) Help User Information Page shows non-public wiki page titlesmrischBug: Error
7
 
 
2008-07-241
SiL3NC3-18 Jun 11
pending -2 -1 1 2 (0) Help security issue: login issueglanBug: Error
8
 
 
2012-05-200

Closed

 RatingSubjectSubmitted byCategoryImportanceEasy to solve?PriorityVolunteered to solveLastModifComs
closed -2 -1 1 2 (0) Help PluginMediaPlayer should use own copy of flash file and not call the web (added to composer)Marc LaporteBug: Consistency
6
9
54
manivannans
2013-11-032
daniam-26 Oct 13
closed -2 -1 1 2 (0) Help smarty_security and tiki_cdn cause Icons missing when using own content delivery networkleagrisPatch
Bug: conflict of two features (each works well independently)
5
10 easy
50
 
2013-11-214
marclaporte-21 Oct 13
closed -2 -1 1 2 (0) Help Need to restart browser after accessing a closed sitealain_desiletsBug: Error
10 high
5
50
manivannans
2013-10-290
closed -2 -1 1 2 (0) Help LDAP Admin Password Stored as Plain Text In System LogsjcarterLess than 30-minute fix
9 high
5
45
 
2012-06-081
jcarter-14 May 12
closed -2 -1 1 2 (0) Help Plugin VIMEO needed to be rewritten to vimeo to prevent < x> to show up in the url param at edition timeXaviBug: Regression
5
5
25
jonnybradley
2013-11-223
jonnybradley-21 Oct 13
closed -2 -1 1 2 (0) Help Password shown in clear under some circumstancesXaviFeature request
5
5
25
 
2013-12-040
closed -2 -1 1 2 (0) Help mail-in provides no securitymrischBug: Error
4
 
0
 
2013-06-143
SEWilco-26 Nov 08
closed -2 -1 1 2 (0) Help Categorisation permission issue with Calendars and TrackersGeoff BrickellBug: Error
Bug: Consistency
9
 
0
 
2013-06-061
marclaporte-27 Dec 09
closed -2 -1 1 2 (0) Help Plugin html should have security, and pass code exactly as isMarc LaporteFeature request
6
 
0
 
2013-06-050
closed -2 -1 1 2 (0) Help Password managerMarc LaporteFeature request
Dogfood on a *.tiki.org site
6
 
0
 
2013-06-051
carsten.aevermann-08 Aug 10
closed -2 -1 1 2 (0) Help Profiles Repository URLs Are Not Connect joon2gBug: Usability
Support request
7
 
0
 
2014-04-280
closed -2 -1 1 2 (0) Help Plugins admin interface to activate/deactivate pluginsMarc LaporteFeature request
9 high
 
lphuberdeau
2009-03-010
closed -2 -1 1 2 (0) Help Optional disabling on javascript stripping protectionMarc LaporteFeature request
Dogfood on a *.tiki.org site
6
 
lphuberdeau
2010-01-150
closed -2 -1 1 2 (0) Help tikiwiki version 1.9.5 (CVS) -Sirius- mysql password disclosure & xssauditorBug: Error
9 high
 
ohertel
2006-11-010
closed -2 -1 1 2 (0) Help No access permission on articles----articles accessible by articleID for any groupasidhuFeature request
 
 
 
2007-12-052
asidhu-17 Jan 07
closed -2 -1 1 2 (0) Help Vulnerability in registratingOnnoPaap
9 high
 
OnnoPaap
2007-10-141
marclaporte-02 Jun 07
closed -2 -1 1 2 (0) Help CVE-2006-6457 tikiwiki vulnerableBug: Error
Support request
 
 
 
2007-06-121
marclaporte-12 Jun 07
closed -2 -1 1 2 (0) Help Better protection against accidental site breakage with improper use of code in modules + template Marc LaporteBug: Error
Bug: Usability
Feature request
4
 
 
2009-01-306
marclaporte-30 Jan 09
closed -2 -1 1 2 (0) Help Banning users ( tiki-admin_banning.php ) doesn't work for me at doc.tw.oXaviBug: Usability
6
 
luci
2010-03-311
luci-21 Jun 07
closed -2 -1 1 2 (0) Help My site totally dead: Warning: ini_set() has been disabled for security reasonsMarc LaporteBug: Error
7
 
 
2009-04-283
bobcatt-15 Oct 07
closed -2 -1 1 2 (0) Help Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)Marc LaporteBug: Error
6
 
 
2007-08-301
marclaporte-18 Aug 07
closed -2 -1 1 2 (0) Help Forum security issue: Ref: H56mr_teatimeBug: Error
7
 
koth
2007-10-130
closed -2 -1 1 2 (0) Help Restrict possible characters in usernamesMarc LaporteBug: Error
Bug: Usability
Feature request
3
 
 
2009-03-030
closed -2 -1 1 2 (0) Help Wiki cache & plugins: WYSIWYCA problem when admin visits the page (and creates the cache)Marc LaporteBug: Error
6
 
SEWilco
2008-10-148
SEWilco-16 Sep 08
closed -2 -1 1 2 (0) Help image gallery: sort_mode=filesize causes mysql error and path disclosureMarc LaporteBug: Error
5
 
luci
2008-03-060
closed -2 -1 1 2 (0) Help Secdb automatic check with cron jobMarc LaporteFeature request
5
 
lphuberdeau
2009-04-101
kerrnel22-12 Dec 07
closed -2 -1 1 2 (0) Help XSS vulnerability issue B96FortifyBug: Error
9 high
 
 
2008-02-260
closed -2 -1 1 2 (0) Help Authenticated RSSMarc LaporteFeature request
5
 
 
2009-06-012
marclaporte-02 Jun 09
closed -2 -1 1 2 (0) Help tiki_p_search makes users "admin"walklifeBug: Error
Bug: Consistency
8
 
 
2008-04-013
snarlydwarf-01 Apr 08
closed -2 -1 1 2 (0) Help Automatic SVN commit of secdb and syncdbMarc LaporteCommunity projects
5
 
 
2012-09-271
marclaporte-27 Sep 12
closed -2 -1 1 2 (0) Help Need stronger CAPTCHAalain_desiletsFeature request
7
 
 
2012-03-291
SEWilco-12 Feb 09
closed -2 -1 1 2 (0) Help Change Crypt passwords methodFeature request
4
 
 
2008-08-180
closed -2 -1 1 2 (0) Help TikiWiki 2.0: Odd Tags get Inserted into HTML CodenikhilodeonBug: Error
Bug: Usability
Bug: Consistency
 
 
 
2008-08-130
closed -2 -1 1 2 (0) Help TikiWiki 2.0: SearchBox Not Displaying for Anonymous UsersnikhilodeonBug: Usability
Support request
7
 
nikhilodeon
2008-09-040
closed -2 -1 1 2 (0) Help URL_ID replaced in a linkDesertWolfBug: Error
Bug: Usability
4
&nbsp;
&nbsp;
2009-09-131
DesertWolf-22 Oct 08
closed


-2

-1

1

2



(0)

Help

&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;/td&gt;&lt;/tr&gt; &lt;tr&gt;&lt;th&gt;Volunteered to solve&lt;/th&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt; &lt;tr&gt;&lt;th&gt;Lastmod by&lt;/th&gt;&lt;td&gt;marclaporte&lt;/td&gt;&lt;/tr&gt; &lt;tr&gt;&lt;th&gt;Version&lt;/th&gt;&lt;td&gt;2.x&lt;/td&gt;&lt;/tr&gt; &lt;tr&gt;&lt;th&gt;WishList Team - Notes to Self&lt;/th&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/div&gt;" data-html=true data-type="trackeritem" data-object="2096">Multimedia Flash unusable due to XSS protectionSEWilcoBug: Error
Bug: Usability
Bug: Regression
9 high
&nbsp;
&nbsp;
2009-04-103
SEWilco-24 Nov 08
closed


-2

-1

1

2



(0)

Help

topic permissions not working in tiki-list_articles.phppagdevBug: Error
Patch
Support request
6
&nbsp;
&nbsp;
2008-11-170
closed


-2

-1

1

2



(0)

Help

site based on 2.2 + tikipedia attacked at tiki-browse_image.php from galleriesXaviBug: Usability
Dogfood on a *.tiki.org site
9 high
&nbsp;
&nbsp;
2009-04-181
chibaguy-19 Apr 09
closed


-2

-1

1

2



(0)

Help

false positive at tikiwiki security error report XaviBug: Usability
Dogfood on a *.tiki.org site
4
&nbsp;
&nbsp;
2013-01-100
closed


-2

-1

1

2



(0)

Help

Security:Active XSS in URI allows remote exploitation of user browserDanny StapleBug: Error
8
&nbsp;
&nbsp;
2009-04-170
closed


-2

-1

1

2



(0)

Help

styles/transitions/2.1to3.0.css file vandalizedArnaud HERVE
8
&nbsp;
&nbsp;
2010-01-141
marclaporte-14 Jan 10
closed


-2

-1

1

2



(0)

Help

Modules do not work when called from within wiki pagessjfosterBug: Error
8
&nbsp;
&nbsp;
2010-01-153
sjfoster-15 Jan 10
closed


-2

-1

1

2



(0)

Help

potential security hole related to managing usersXaviBug: Usability
Support request
9 high
&nbsp;
&nbsp;
2010-03-310
closed


-2

-1

1

2



(0)

Help

Using preg_replace with /e modifierReganBug: Error
Feature request
Patch
&nbsp;
&nbsp;
&nbsp;
2010-01-284
Chealer9-28 Jan 10
closed


-2

-1

1

2



(0)

Help

HTMLpurifier no longer permits to use Paypal buttons (starting in Tiki4)Marc LaporteBug: Regression
Bug: conflict of two features (each works well independently)
8
&nbsp;
&nbsp;
2013-03-213
marclaporte-27 Feb 10
closed


-2

-1

1

2



(0)

Help

Add New User - Gen Password - Validate By Email is Broken in 4.1 and 4.2EdBug: Error
Bug: Usability
Bug: Regression
Bug: Consistency
9 high
&nbsp;
&nbsp;
2010-04-020
closed


-2

-1

1

2



(0)

Help

PHP Code Injection VulnerabilityEgiX
9 high
&nbsp;
&nbsp;
2012-05-200
closed


-2

-1

1

2



(0)

Help

webdavxen
&nbsp;
&nbsp;
&nbsp;
2012-02-272
marclaporte-27 Feb 12
closed


-2

-1

1

2



(0)

Help

Critical security vulnerabilityEgiX
9 high
&nbsp;
&nbsp;
2012-05-200
~/np~

Spaces [Toggle]

Search Wishes (subject only) [Toggle]

Keywords [Toggle]

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting 7.x
Administration
Ajax 2.x
Articles & Submissions
Backlinks
Banner
Batch 6.x
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution 2.x
Cookie
Copyright
Credits 6.x
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
DogFood
Draw 7.x
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Group
Help
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping 3.x
Mobile Tiki and Voice Tiki
Mods
Module
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Payment 5.x
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Report
Score
Search engine optimization (SEO)
Search
Security
Semantic links 3.x
Shopping Cart 5.x
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tags 2.x
Task
Tell a Friend, alert + Social Bookmarking
TikiTests 2.x
Theme
Toolbar (Quicktags)
Trackers
TRIM
User Administration
User Files
User Menu
Watch
WebHelp
Webmail and Groupmail
WebServices 3.x
Wiki 3D
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives 4.x
WYSIWTSN 4.x
WYSIWYCA
WYSIWYG 2.x
XMLRPC