Features / Usability

Forum List Topic List

Security hole: anonymous blog posts

Posted by dcroxton 04 Jun 2008 17:27 GMT-0000 posts: 17

For the past two days, I have been getting new blog posts to my tikiwiki that I didn't put there. The blogs are visible to the public, but owned by my user, and I am the only one with permissions to post. It doesn't seem to be that anyone has cracked my password, because the user field in tiki_blog_posts is null.

I upgraded to 1.9.11 last night, but I got another anonymous blog post today just after noon.

I may be doing something stupid to leave this hole open; feel free to check out my site (oxenstierna.homelinux.net) to see if there are any obvious exploits that I could close. If there aren't, what can I do about this? I have disabled comments and trackback pings, which had also been giving me trouble (but for reasons that were perfectly clear). I don't know what else to try.

Sincerely,
Derek

Reads: 955

Posted by Rick Sapir / Tiki for Smarties 04 Jun 2008 18:31 GMT-0000 posts: 3665 United States

It appears that you've given tiki_p_blog_post to Anonymous. I can tell, because as an anonymous visitor, I have access to the Blog > Post menu item

See the docs for details.

HTH,

-Rick
Need more help? Try TikiWiki for ~~Dummies~~ Smarties or read my Tiki Blog or visit my UserPage

Posted by dcroxton 04 Jun 2008 18:51 GMT-0000 posts: 17

Thanks, that was obviously stupid on my part. Not something I think I would have done on purpose, but I must have overlooked it (probably when I was allowing anonymous comments).

Sincerely,
Derek

Jump to forum:

Features / Usability

Security hole: anonymous blog posts

About Tiki

Support

Community

Documentation

Development

Legal

Tiki Project Sites

Networks

Navigation and related functionality and content

Related content

Custom Share Module 0.1dev

Features / Usability

Thread actions