[原文]Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter.
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
TikiWiki contains a flaw that allows a remote attacker to verify the existance of files or directories outside of the web path. The issue is due to the "tiki-map.phtml" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "mapfile" variable.
Upgrade to version 1.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.