Bug#485562: twiki: configure script access badly protected

Sven Dowideit Tue, 10 Jun 2008 00:50:18 -0700

odd,

I'm under the impression that I did respond, and indicated taht I don'tsee it as a major issue. no-one on the security team suggested it waseither, leading me to believe that we had a consensus.


Sven


Olivier Berger wrote:

Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole

In current state of the Debian package, if nothing is changed manually to the 
default setup configured by the package, then TWiki's configure script is 
accessible easily to unauthorized people, thus exposing (incl. changing it) the 
configuration of TWiki.For instance, it would be possible to change settings 
which may compromize the wiki's functionning (including commands executed as 
www-data).

Full details have already be notified (by me) to the maintainer and the 
security team through direct emails.

A proposed patch to address this issue was also provided through direct emails 
too.

Unfortunately, maintainer seems too busy to be able to acknowledge all that at 
the moment.

So I'm filing this ticket so that appropriate mesures be taken regarding the 
possible inclusion of such a security risk in coming stable release.

Hope this helps,

Best regards.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages twiki depends on:
ii  apache2.2-common           2.2.8-4       Next generation, scalable, extenda
ii  debconf [debconf-2.0]      1.5.22        Debian configuration management sy
pn  libalgorithm-diff-perl     <none>        (no description available)
ii  libcgi-session-perl        4.30-1        Persistent session data in CGI app
ii  libdigest-sha1-perl        2.11-2+b1     NIST SHA-1 message digest algorith
ii  liberror-perl              0.17-1        Perl module for error/exception ha
ii  libhtml-parser-perl        3.56-1+b1     A collection of modules that parse
pn  liblocale-maketext-lexicon <none>        (no description available)
pn  libtext-diff-perl          <none>        (no description available)
ii  liburi-perl                1.35.dfsg.1-1 Manipulates and accesses URI strin

ii perl [libmime-base64-perl] 5.10.0-10 Larry Wall's Practical Extractionii perl-modules [libnet-perl] 5.10.0-10 Core Perl modules

ii  rcs                        5.7-23        The GNU Revision Control System

twiki recommends no packages.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#485562: twiki: configure script access badly protected

Reply via email to