TikiWiki CMS/Groupware Security HeadQuarter

To allow us time to patch the system, please report the vulnerability using the bug tracking system (you need to log in) using the category "security" but without detailing the vulnerability so it cannot be exploited AND please contact the security squad with full details and we'll deal with your input.

For more information: Full Disclosure Policy (RFPolicy) v2.0


New releases are announced in many places, including Freshmeat.

1. You need to create an account and login there
2. Visit Tiki page
3. Click "Subscribe"

1. Keep your TikiWiki up to date. This is often overlooked!
2. Check your server configuration with a script like phpsecinfo
3. Check your server & installation using: doc.tikiwiki.org/security+admin
4. Have your server professionally installed and kept up to date (PHP, Apache, Linux, etc.)
5. Use strong passwords and set a password policy
6. Only activate the features you need. Each feature is a potential security vulnerability. If the feature is turned off, it can't be used (starting in 1.9.11)
7. If you are using permissions to restrict certain parts of the site, apply the permissions on each item (ex.: wiki page, file gallery, etc) instead of permissions via categories because this has had issues in the past. It's a complex feature and it can easily be misconfigured.
8. Setup and test a backup procedure

Work in ongoing for the TikiWiki Remote Instance Manager. This will be very useful to manage large numbers of TikiWiki instances.

• TikiWiki CMS/Groupware Security HeadQuarter
• 4.x
• 3.x
• 2.x
• 1.x

4.x

no vulnerability reported as of 2009-12-27

3.x

no vulnerability reported as of 2009-12-27

2.x

1.x