diff -u tikiwiki-1.9.7+dfsg/debian/changelog tikiwiki-1.9.7+dfsg/debian/changelog
--- tikiwiki-1.9.7+dfsg/debian/changelog
+++ tikiwiki-1.9.7+dfsg/debian/changelog
@@ -1,3 +1,24 @@
+tikiwiki (1.9.7+dfsg-2ubuntu1.2) gutsy-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #180702)
+    + CVE 2007-6526: Cross-site scripting (XSS) vulnerability in tiki-special_chars.php
+      in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or 
+      HTML via the area_name parameter.
+    + CVE 2007-6528: Directory traversal vulnerability in tiki-listmovies.php in TikiWiki 
+      before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and
+      modified filename in the movie parameter.
+    + CVE 2007-6529: Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have 
+      unknown impact and attack vectors involving  tiki-edit_css.php, 
+      tiki-g-admin_shared_source.php.
+  * debian/patches/91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
+    - Applied patch by upstream
+  * References
+    - CVE-2007-6526
+    - CVE-2007-6528
+    - CVE-2007-6529
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Sun, 17 Feb 2008 17:44:04 +0100
+
 tikiwiki (1.9.7+dfsg-2ubuntu1.1) gutsy-security; urgency=low
 
   * SECURITY UPDATE: (LP: #163833)
diff -u tikiwiki-1.9.7+dfsg/debian/patches/00list tikiwiki-1.9.7+dfsg/debian/patches/00list
--- tikiwiki-1.9.7+dfsg/debian/patches/00list
+++ tikiwiki-1.9.7+dfsg/debian/patches/00list
@@ -3,0 +4 @@
+91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
only in patch2:
unchanged:
--- tikiwiki-1.9.7+dfsg.orig/debian/patches/91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
+++ tikiwiki-1.9.7+dfsg/debian/patches/91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
@@ -0,0 +1,71 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch by  <emgent@emanuele-gentili.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad tikiwiki-1.9.7+dfsg~/tiki-edit_css.php tikiwiki-1.9.7+dfsg/tiki-edit_css.php
+--- tikiwiki-1.9.7+dfsg~/tiki-edit_css.php	2008-02-17 17:32:32.000000000 +0100
++++ tikiwiki-1.9.7+dfsg/tiki-edit_css.php	2008-02-17 17:42:02.000000000 +0100
+@@ -71,8 +71,8 @@
+ if (!isset($_REQUEST["try"]))
+ 	$_REQUEST["try"] = '';
+ 
+-$editstyle = $_REQUEST["editstyle"];
+-$styledir = TIKI_STYLES_PATH;
++$editstyle = preg_replace("/[^-_a-z\d]/i","",$_REQUEST["editstyle"]);
++$styledir = "styles";
+ 
+ if (isset($_REQUEST["edit"])and $_REQUEST["edit"]) {
+ 	$action = 'edit';
+diff -urNad tikiwiki-1.9.7+dfsg~/tiki-g-admin_shared_source.php tikiwiki-1.9.7+dfsg/tiki-g-admin_shared_source.php
+--- tikiwiki-1.9.7+dfsg~/tiki-g-admin_shared_source.php	2006-09-03 18:32:29.000000000 +0200
++++ tikiwiki-1.9.7+dfsg/tiki-g-admin_shared_source.php	2008-02-17 17:43:15.000000000 +0100
+@@ -78,6 +78,11 @@
+ //First of all save
+ if (isset($_REQUEST['source'])) {
+ 	check_ticket('g-admin-shared-source');
++	if (!isset($_REQUEST['source_name']) or !preg_match('#^lib/Galaxia/processes/'.preg_quote($procname,'#').'/code/(templates/|activities/|)[0-9A-Za-z_]+(.php|.tpl)$#',$_REQUEST['source_name'])))  {
++		$smarty->assign('msg', tra("Invalid source path"));
++		$smarty->display("error.tpl");
++		die;
++	}
+ 	$fp = fopen($_REQUEST['source_name'], "w");
+ 
+ 	fwrite($fp, $_REQUEST['source']);
+diff -urNad tikiwiki-1.9.7+dfsg~/tiki-listmovies.php tikiwiki-1.9.7+dfsg/tiki-listmovies.php
+--- tikiwiki-1.9.7+dfsg~/tiki-listmovies.php	2006-09-02 17:50:30.000000000 +0200
++++ tikiwiki-1.9.7+dfsg/tiki-listmovies.php	2008-02-17 17:40:27.000000000 +0100
+@@ -14,7 +14,7 @@
+ }
+ 
+ // Get the page from the request var or default it to HomePage
+-if(isset($_GET["movie"])) {
++if (isset($_GET["movie"]) and in_array($_GET['movie'],$movies)) {
+   $movie = $_GET["movie"]; 
+ } else {
+   $movie = "";
+diff -urNad tikiwiki-1.9.7+dfsg~/tiki-special_chars.php tikiwiki-1.9.7+dfsg/tiki-special_chars.php
+--- tikiwiki-1.9.7+dfsg~/tiki-special_chars.php	2006-08-05 00:53:37.000000000 +0200
++++ tikiwiki-1.9.7+dfsg/tiki-special_chars.php	2008-02-17 17:39:33.000000000 +0100
+@@ -153,6 +153,7 @@
+               <option value="&amp;"> & </option>
+ 		  <option value="&reg;"> ® </option>
+ 		  <option value="&trade;"> &trade; </option>
++		  <option value="&plusmn;"> ± </option>
+              </select>
+           </td>
+         </tr>
+@@ -161,9 +162,10 @@
+   </tr>
+   <tr>
+     <td align="left" class="fixed">
++	<?php $area = preg_replace('/[^-_0-9a-zA-Z\.]/','',$_REQUEST["area_name"]); ?>
+       <input type="text" id='spec' />
+   <input type="button" class="button"
+-onclick="javascript:window.opener.document.getElementById('<?php print($_REQUEST["area_name"]);?>').value=window.opener.document.getElementById('<?php print($_REQUEST["area_name"]);?>').value+getElementById('spec').value;" name="ins" value="ins" />
++onclick="javascript:window.opener.document.getElementById('<?php echo $area; ?>').value=window.opener.document.getElementById('<?php echo $area;?>').value+getElementById('spec').value;" name="ins" value="ins" />
+       <input type="button" class="button"
+ onclick="window.close();" name="close" value="close" />
+     </td>