Gentoo Logo

Tikiwiki: SQL injection and multiple XSS vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200606-29 / tikiwiki
Release Date June 29, 2006
Latest Revision June 29, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/tikiwiki < 1.9.4 >= 1.9.4 All supported architectures

Related bugreports: #136723, #134483

Synopsis

An SQL injection vulnerability and multiple XSS vulnerabilities have been discovered.

2.  Impact Information

Background

Tikiwiki is a web-based groupware and content management system (CMS), using PHP, ADOdb and Smarty.

Description

Tikiwiki fails to properly sanitize user input before processing it, including in SQL statements.

Impact

An attacker could execute arbitrary SQL statements on the underlying database, or inject arbitrary scripts into the context of a user's browser.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Tikiwiki users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.4"

4.  References

Print

Page updated June 29, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.