Serious security problem in 1.9 RC4?

posts: 46 Portugal

Hi to all,
I've tried this in two diferent sites that use tiki 1.9 RC4 and I got the same problem. Just try to access (anonymous) to http://yoursite.com/tiki-edit_templates.php?template=tiki-show_page.tpl

In fact, if the feature Edit Templates it's enabled, anyone will be able to access to this.

To solve my problem, I've added tiki-edit_templates.php the following:

if ($tiki_p_admin != 'y') { $smarty->assign('msg', tra("You do not have permission to use this feature")); $smarty->display("error.tpl"); die; }

I'm not sure that this is the best way to do it, but it works

Is there anyone that can confirm that this is really a security proble in tiki 1.9RC4?

Luis Pedro

posts: 57
From what I can tell, yes, you can view the templates (big deal) but you can't modify them.