This may not sound as a bug, but this could be a problem for people who use tiki to build a professional website.
In an ideal CMS, no one has to know what platform the webmaster is using. Knowing the platform from first sight is considered a huge flaw in the design of the CMS. It's not my position to defend this statement, but you're professional developers, and you understand how this should be the first piece of information any hacker is looking for. Honestly I'd be already surprised if this not clear.
With that said, let's state the problem: The problem is that every php page in tiki has the prefix "tiki-", like "tiki-index.php". Now why?
Let's look at this rationally. Does this benefit the user with anything? Absolutely not. As it looks to me, it's just a show-off of the kind "hey look, this website was made by tiki, and the webmaster couldn't get rid of those urls exposing him".
Trust me, some companies will just refuse to use the whole platform because of this! Usually organizations are paranoid about security.
So please, fix this. Just remove every "tiki-" from every file name. There's not a single good reason to have it done this way.
PS: Renaming the files myself is not considered a solution. Even if it works, an update will mess it up.
This was discussed on the Tiki developers mailing list (http://sourceforge.net/p/tikiwiki/mailman/message/33455315/) and the consensus is:
- It isn't a security problem to use "tiki" in the filenames and URLs because this information isn't actually used to target the site.
- If the appearance of "tiki" in the URLs is a problem for site branding purposes, rewrite rules can be used to remove the term, as is now done for wiki pages, blog posts and so on.
- "Tiki" is perhaps used unnecessarily in the interface text, such as for the "MyTiki" section, and this can and should be changed to something generic and descriptive.
- Changing the file names and paths would make problems for updating existing Tiki sites, and would take a lot of time and effort so wouldn't be worthwhile if the same result can be achieved with URL rewriting.
So the plan is to modify the rewrite rules and instances of "tiki" in the interface text.
Show.tiki.org snapshot creation is in progress... Please monitor http:///snapshots/ for progress. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Password reset was successful
Password reset failed
Show.tiki.org instance destruction is in progress... Please wait...
The public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
Unable to connect to show2.tiki.org. Please let us know of the problem so that we can do something about it. Thanks.
Show.tiki.org is currently under maintenance. Sorry for the inconvenience.
Unable to get information from show2.tiki.org. Please let us know of the problem so that we can do something about it. Thanks.
Show.tiki.org is in the progress of creating the new instance. Please continue waiting for a minute or two. If this continues on for more than 10 minutes, please let us know of the problem so that we can do something about it. Thanks.
To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
The URL for the show2.tiki.org instance that demonstrates this bug is at: http://. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http:///info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
Snapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http:///snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".Create new snapshot
|No attachments for this item|