Serious security problem in 1.9 RC4?
Hi to all,
I've tried this in two diferent sites that use tiki 1.9 RC4 and I got the same problem. Just try to access (anonymous) to http://yoursite.com/tiki-edit_templates.php?template=tiki-show_page.tpl
In fact, if the feature Edit Templates it's enabled, anyone will be able to access to this.
To solve my problem, I've added tiki-edit_templates.php the following:
Copy to clipboard
if ($tiki_p_admin != 'y') { $smarty->assign('msg', tra("You do not have permission to use this feature")); $smarty->display("error.tpl"); die; }
I'm not sure that this is the best way to do it, but it works
Is there anyone that can confirm that this is really a security proble in tiki 1.9RC4?
Luis Pedro