A security flaw has been found in one file, you should consider upgrading immediately, get the new 220.127.116.11 version on Sourceforge or update your CVS if you use it !
Nelson Koth handled the release process, so now we have a 18.104.22.168 available on Sourceforge:
This is a very nasty flaw on a file that was not even optional so it can be exploited on any version of Tiki since 1.9.1 where tikisheet have been introduced.
You must upgrade your Tikiwiki installation and warn people that could be concerned:
- either grab that new release and upgrade as usual, there are only few file changes and no db upgrade to perform/
- either only upgrade the faulty file, namely tiki-graph_formula.php by replacing yours by the one you'll get on :
or by using cvs:
cvs up tiki-graph_formula.php
The 1.10 branch is also impacted and fixed same way, so "cvs up tiki-graph_formula.php" is advised for HEAD users.
There have been some days between the fix and the release, and it has already been exploited by malevolent scripts/bots/kids/whatever.
Upgrade your Tikiwiki version, fast.
Thanks Nelson of the work on the packaging and release process, and to Sylvie and Marc that also helped in the operation. Thanks too for Shankar that first warned us, and Moritz Naumann, Naumann IT Consulting & Services, that reported details and proof on this flaw.