TikiWiki: Arbitrary command execution Tikiwiki contains a command injection vulnerability which may allow remote execution of arbitrary code. tikiwiki October 20, 2007 October 20, 2007: 01 195503 remote 1.9.8.1 1.9.8.1

TikiWiki is an open source content management system written in PHP.

ShAnKaR reported that input passed to the "f" array parameter in tiki-graph_formula.php is not properly verified before being used to execute PHP functions.

An attacker could execute arbitrary code with the rights of the user running the web server by passing a specially crafted parameter string to the tiki-graph_formula.php file.

There is no known workaround at this time.

All TikiWiki users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.8.1" CVE-2007-5423 p-y rbu rbu