Software-update: Tiki 1.9.10.1

Tiki is een webbased Groupware en content management systeem en maakt gebruik van een omgeving met PHP, Adodb en smarty. Het programma is ook bekend onder de pakkende naam TikiWiki. De ontwikkelaars hebben een nieuwe versie in de sirius-reeks vrijgegeven met 1.9.10.1 als het versienummer en hebben zich voornamelijk gericht op het oplossen van bugs uit versie 1.9.9, het oplossen van een xss in tiki-edit_article.php en het verbeteren van de veiligheid tegen toekomstige lekken. De bijbehorende lijst met veranderingen ziet er als volgt uit:

Version 1.9.10.1:

Security:

• Improving input sanitizer. Thank you to Fortify softwareexternal link for reporting a cross-site scripting (XSS) vulnerability in tiki-edit_article.php.
  Note: Until you upgrade, workaround is to not permit non-trusted users to add/edit articles, or to deactivate the articles feature altogether.
• New pre-emptive securitycheck.php script. This check, which is now part of the release procedures, checks every single potentially dangerous file (.php, .sh, etc) to make sure it follows some basic checks (such as: a feature check, permission check, verify that it can't be called directly if it shouldn't, etc.). If you are not using feature X you will no longer potentially be affected in a security issue which is discovered in a feature using that file. If you are using that feature, you can turn it off until you upgrade.
• Adding feature and permission checks to all files to comply with the securitycheck.php script described above.
• Developer scripts now have extra protection to make sure they can't be run from the web (on a badly configured server).
• Some useless files were deleted.

Fixes:

• Fix a username/password/registration bug issue which was introduced in 1.9.9.
• Image Gallery: Fixed the next-prev glitch which was introduced recently.
• Various fixes to Live Support feature.
• Various fixes to InterTiki feature
• Forums: Prevent forum pruning from removing comments as well, or from other forums.
• Fixes to "thumbnail" plugin

Enhancements:

• Better handling of usernames with special characters
• tiki-contact.php has anti-bot protection
• Some administrative fixes and enhancements to the release, security and developer scripts.
• New "superscript" plugin to make easy superscript in wiki page, without using html, like subscript plugin.

Version 1.9.9:

Release checks:

This new feature adds 2 options in general admin panel, to enable/disable remote checks and to setup the frequecy of those checks. The checking of a new version is done with a simple http request on tikiwiki.org site, when someone with admin perms displays any admin panel. When the check is done and a new version is found, a message is displayed in admin panels to warn there is something new, and then no further checks are performed anymore (until upgrade). This feature is enabled by default, which is motivated by the fact that we know that people don't usually follow the Tikiwiki community activity and they take time to upgrade, just because they don't know they should (especially for security release).

Security fixes:

• Jesus Olmos Gonzalez found a possible problem of transversal path in tiki-listmovies.php
• Mesut Timur reported an XSS vulnerability in tiki-special_chars.php
• redflo also took the occasion to find other flaws, in tiki-edit_css.php, tiki-list_games.php, and tiki-g-admin_shared_source.php

Quick security protection:

• disable deatures : edit css, games, galaxia
• erase files tiki-listmovies.php (which is not used except very exceptionaly by people that know their stuff) and tiki-special_chars.php (which is used in quicktags to popup a small widget to input special characters with odd accents).

Changes:

• wikiplugin group backported from 1.10
• improvement of wiki help on editpage
• new forum import feature (from tiki to tiki forums)
• some galaxia improvement
• module tail moved to mods
• fix in tracker ratings
• start of a new translation: bulgarian (bg)
• more translation for portuguese brazilian (pt-br)
• fixes in french (fr) translation