Nelson Koth handled the release process, so now we have a 1.9.8.1 available on Sourceforge:
https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=546283

This is a very nasty flaw on a file that was not even optional so it can be exploited on any version of Tiki since 1.9.1 where tikisheet have been introduced.

You must upgrade your Tikiwiki installation and warn people that could be concerned:

  • either grab that new release and upgrade as usual, there are only few file changes and no db upgrade to perform/


The 1.10 branch is also impacted and fixed same way, so "cvs up tiki-graph_formula.php" is advised for HEAD users.

There have been some days between the fix and the release, and it has already been exploited by malevolent scripts/bots/kids/whatever.

Upgrade your Tikiwiki version, fast.

Thanks Nelson of the work on the packaging and release process, and to Sylvie and Marc that also helped in the operation. Thanks too for Shankar that first warned us, and Moritz Naumann, Naumann IT Consulting & Services, that reported details and proof on this flaw.


Cheers,
mose