Gentoo Logo

Tikiwiki: SQL injection and multiple XSS vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200606-29 / tikiwiki
Release Date June 29, 2006
Latest Revision June 29, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/tikiwiki < 1.9.4 >= 1.9.4 All supported architectures

Related bugreports: #136723, #134483


An SQL injection vulnerability and multiple XSS vulnerabilities have been discovered.

2.  Impact Information


Tikiwiki is a web-based groupware and content management system (CMS), using PHP, ADOdb and Smarty.


Tikiwiki fails to properly sanitize user input before processing it, including in SQL statements.


An attacker could execute arbitrary SQL statements on the underlying database, or inject arbitrary scripts into the context of a user's browser.

3.  Resolution Information


There is no known workaround at this time.


All Tikiwiki users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.4"

4.  References


Page updated June 29, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.