Package: twiki Version: 20040902-3 Severity: grave Tags: security Justification: user security hole
A new security bug in twiki showed up today: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude An attacker is able to execute arbitrary shell commands with the privileges of the web server process. The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick (`) operator. The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. The exploit is possible on included topics with two or more revisions. Example INCLUDE variable exploiting the rev parameter: %INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }% The same vulnerability is exposed to all Plugins and add-ons that use TWiki::Func::readTopicText function to read a previous topic revision. This has been tested on TWiki:Plugins.RevCommentPlugin and TWiki:Plugins.CompareRevisionsAddon. If access to TWiki is not restricted by other means, attackers can use the revision function with or without prior authentication, depending on the configuration. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-3056 to this vulnerability. Please include this number in any changelogs fixing this. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.8-2-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
