Your message dated Thu, 29 Sep 2005 20:42:40 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#330733: twiki: INCLUDE function allows arbitrary shell
command execution
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Sep 2005 15:48:47 +0000
>From [EMAIL PROTECTED] Thu Sep 29 08:48:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.riseup.net [69.90.134.155]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EL0eM-0005Tc-00; Thu, 29 Sep 2005 08:48:47 -0700
Received: from localhost (localhost [127.0.0.1])
by mail.riseup.net (Postfix) with ESMTP id E6CFAA2DF6;
Thu, 29 Sep 2005 08:48:19 -0700 (PDT)
Received: from mail.riseup.net ([127.0.0.1])
by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 03753-06; Thu, 29 Sep 2005 08:48:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.riseup.net (Postfix) with ESMTP id B1271A2D80;
Thu, 29 Sep 2005 08:48:19 -0700 (PDT)
Received: by pond (Postfix, from userid 1000)
id 6BDAC3A847; Thu, 29 Sep 2005 11:28:23 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Micah Anderson <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: twiki: INCLUDE function allows arbitrary shell command execution
X-Mailer: reportbug 3.17
Date: Thu, 29 Sep 2005 11:28:23 -0400
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: twiki
Version: 20040902-3
Severity: grave
Tags: security
Justification: user security hole
A new security bug in twiki showed up today:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
An attacker is able to execute arbitrary shell commands with the
privileges of the web server process. The TWiki INCLUDE function
enables a malicious user to compose a command line executed by the
Perl backtick (`) operator.
The rev parameter of the INCLUDE variable is not checked properly for
shell metacharacters and is thus vulnerable to revision numbers
containing pipes and shell commands. The exploit is possible on
included topics with two or more revisions.
Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%
The same vulnerability is exposed to all Plugins and add-ons that use
TWiki::Func::readTopicText function to read a previous topic revision.
This has been tested on TWiki:Plugins.RevCommentPlugin and
TWiki:Plugins.CompareRevisionsAddon.
If access to TWiki is not restricted by other means, attackers can use
the revision function with or without prior authentication, depending
on the configuration.
The Common Vulnerabilities and Exposures project has assigned the name
CAN-2005-3056 to this vulnerability. Please include this number in any
changelogs fixing this.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
---------------------------------------
Received: (at 330733-done) by bugs.debian.org; 29 Sep 2005 18:43:15 +0000
>From [EMAIL PROTECTED] Thu Sep 29 11:43:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.enyo.de [212.9.189.167]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EL3NC-0007lz-00; Thu, 29 Sep 2005 11:43:14 -0700
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
by albireo.enyo.de with esmtp id 1EL3N7-0004Vk-Pq; Thu, 29 Sep 2005
20:43:09 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.52)
id 1EL3Me-00069B-8z; Thu, 29 Sep 2005 20:42:40 +0200
From: Florian Weimer <[EMAIL PROTECTED]>
To: Micah Anderson <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#330733: twiki: INCLUDE function allows arbitrary shell command
execution
References: <[EMAIL PROTECTED]>
Date: Thu, 29 Sep 2005 20:42:40 +0200
In-Reply-To: <[EMAIL PROTECTED]> (Micah Anderson's message of
"Thu, 29 Sep 2005 11:28:23 -0400")
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
* Micah Anderson:
> A new security bug in twiki showed up today:
> http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
This bug has already been fixed in Debian version 20040902-2, as far
as I know.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
