CVE-2007-5684

Name of the Vulnerable Software and Affected Versions TikiWiki versions 1.9.8.1 and earlier

Description The issue allows remote attackers to include and execute arbitrary files. This can be achieved via absolute pathnames in the error handler file and local php parameters to "tiki-index.php", or through encoded "..%2F" sequences in the imp language parameter to "tiki-imexport languages.php".

Recommendations For TikiWiki versions 1.9.8.1 and earlier, consider disabling access to the tiki-index.php and tiki-imexport languages.php scripts until a fix is available. Restrict the use of the error handler file and local php parameters in "tiki-index.php" and the imp language parameter in "tiki-imexport languages.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.