Serious security problem in 1.9 RC4?

Development

Forum List Topic List

Serious security problem in 1.9 RC4?

Posted by Luis Pedro 09 Mar 2005 18:49 GMT-0000 posts: 46 ☆ ☆ ☆ Portugal

Hi to all,
I've tried this in two diferent sites that use tiki 1.9 RC4 and I got the same problem. Just try to access (anonymous) to http://yoursite.com/tiki-edit_templates.php?template=tiki-show_page.tpl

In fact, if the feature Edit Templates it's enabled, anyone will be able to access to this.

To solve my problem, I've added tiki-edit_templates.php the following:

Copy to clipboard

if ($tiki_p_admin != 'y') {
        $smarty->assign('msg', tra("You do not have permission to use this feature"));

        $smarty->display("error.tpl");
        die;
}

I'm not sure that this is the best way to do it, but it works

Is there anyone that can confirm that this is really a security proble in tiki 1.9RC4?

Luis Pedro

Reads: 1506

Link

Posted by terris 09 Mar 2005 19:05 GMT-0000 posts: 57 ☆ ☆ ☆

From what I can tell, yes, you can view the templates (big deal) but you can't modify them.

Link

Jump to forum:

Upcoming Events

1)	16 May 2024 14:00 GMT-0000 Tiki Roundtable Meeting
2)	20 Jun 2024 14:00 GMT-0000 Tiki Roundtable Meeting
3)	18 Jul 2024 14:00 GMT-0000 Tiki Roundtable Meeting
4)	15 Aug 2024 14:00 GMT-0000 Tiki Roundtable Meeting
5)	19 Sep 2024 14:00 GMT-0000 Tiki Roundtable Meeting
6)	08 Oct 2024 Tiki birthday
7)	17 Oct 2024 14:00 GMT-0000 Tiki Roundtable Meeting
8)	21 Nov 2024 14:00 GMT-0000 Tiki Roundtable Meeting
9)	19 Dec 2024 14:00 GMT-0000 Tiki Roundtable Meeting

Latest Page Changes

...more

Development