Tiki Wiki CMS: Arbitrary File Download
Description
Tiki Wiki CMS versions prior to 12.8, 14.3, and 15.1 contain a path traversal vulnerability in the vendor/player/flv/flv_stream.php file. This flaw allows unauthenticated remote attackers to download arbitrary files from the web server by manipulating file path parameters, bypassing intended access controls and exposing the entire file system to unauthorized access.
Remediation
Immediately upgrade Tiki Wiki CMS to a patched version: 12.8, 14.3, 15.1, or later. To remediate this vulnerability:
1. Back up your current Tiki Wiki installation and database
2. Download the appropriate patched version from the official Tiki Wiki website
3. Follow the official upgrade documentation for your version path
4. After upgrading, verify that vendor/player/flv/flv_stream.php has been patched or removed
5. Review web server logs for any suspicious file access attempts to identify potential compromise
As a temporary mitigation if immediate patching is not possible, restrict access to the /vendor/player/flv/ directory at the web server level or remove the vulnerable file if FLV streaming functionality is not required.