-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 excellent.
Micah, did you manage to reproduce this in the debian package at all? you see, the debian package is significantly more secure than the upstream version, and as you've marked it as grave, I presume that you have found a way to make it happen. (as when I had a go, i did not get the exploit (i got a unhelpful, but correct error message "invalid number argument at /usr/share/perl5/TWiki.pm line 3339.") could you please either tell me how to reproduce the problem in the current debian package, or close it? Cheers Sven Micah Anderson wrote: > Package: twiki > Version: 20040902-3 > Severity: grave > Tags: security > Justification: user security hole > > A new security bug in twiki showed up today: > http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude > > An attacker is able to execute arbitrary shell commands with the > privileges of the web server process. The TWiki INCLUDE function > enables a malicious user to compose a command line executed by the > Perl backtick (`) operator. > > The rev parameter of the INCLUDE variable is not checked properly for > shell metacharacters and is thus vulnerable to revision numbers > containing pipes and shell commands. The exploit is possible on > included topics with two or more revisions. > > Example INCLUDE variable exploiting the rev parameter: > %INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }% > > The same vulnerability is exposed to all Plugins and add-ons that use > TWiki::Func::readTopicText function to read a previous topic revision. > This has been tested on TWiki:Plugins.RevCommentPlugin and > TWiki:Plugins.CompareRevisionsAddon. > > If access to TWiki is not restricted by other means, attackers can use > the revision function with or without prior authentication, depending > on the configuration. > > The Common Vulnerabilities and Exposures project has assigned the name > CAN-2005-3056 to this vulnerability. Please include this number in any > changelogs fixing this. > > > -- System Information: > Debian Release: testing/unstable > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.8-2-k7 > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDPE2aPAwzu0QrW+kRAqZLAJ90bJEaXjUiwrkNcOu/U25JiLXAjgCeMoiy VRnVrGHfBUXGaRpLZR8JP0M= =5784 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
