Bug#499534: twiki: Remote code execution vulerability.

[Brad Krane]

Package: twiki
Version: 1:4.0.5-9.1
Severity: grave
Tags: security
Justification: user security hole

TWiki command execution vulnerability found in current version. US-CERT Vulnerability Note:
http://www.kb.cert.org/vuls/id/362012 and TWiki Security Alert:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195

-- System Information:
Debian Release: 4.0
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages twiki depends on:
ii apache-common 1.3.34-4.1+etch1 support files for all Apache webse
ii debconf [debconf-2.0] 1.5.11etch2 Debian configuration management sy
ii libalgorithm-diff-perl 1.19.01-2 a perl library for finding Longest
ii libcgi-session-perl 4.14-1 Persistent session data in CGI app
ii libdigest-sha1-perl 2.11-1 NIST SHA-1 message digest algorith
ii liberror-perl 0.15-8 Perl module for error/exception ha
ii libhtml-parser-perl 3.55-1 A collection of modules that parse
ii liblocale-maketext-lexi 0.62-1 Lexicon-handling backends for "Loc
ii libtext-diff-perl 0.35-2 Perform diffs on files and record
ii liburi-perl 1.35-2 Manipulates and accesses URI strin
ii perl [libmime-base64-pe 5.8.8-7etch3 Larry Wall's Practical Extraction
ii perl-modules [libnet-pe 5.8.8-7etch3 Core Perl modules
ii rcs 5.7-18 The GNU Revision Control System

twiki recommends no packages.

-- debconf information excluded

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

[Nico Golde]

severity 499534 important
thanks

Hi Brad,
* Brad Krane <bjk...@feds.uwaterloo.ca> [2008-09-19 19:18]:

> TWiki command execution vulnerability found in current version. US-CERT Vulnerability Note:
> http://www.kb.cert.org/vuls/id/362012 and TWiki Security Alert:
> http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195

Downgrading as the access to this script is limited to
localhost on Debian.

Cheers
Nico
--
Nico Golde - http://www.ngolde.de - ni...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Sven Dowideit]

This is _not_ a grave severity issue in the debian package, specifically
because configure (as mentioned in the advisory) is locked down using
apache to
1 localhost
2 an admin user that is created by the installer.

Sven

--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on

[Olivier Berger]

On Sat, Sep 20, 2008 at 08:40:02AM +1000, Sven Dowideit wrote:
> This is _not_ a grave severity issue in the debian package, specifically
> because configure (as mentioned in the advisory) is locked down using
> apache to
> 1 localhost
> 2 an admin user that is created by the installer.
>

... well, at least for version in lenny (4.1.2-4), since we have fixed #485562 previously (I'm glad we did, then ;).

Just my 2 cents.

Best regards,

[Nico Golde]

Hi Sven,
* Olivier Berger <olivier...@it-sudparis.eu> [2008-09-20 12:30]:

> On Sat, Sep 20, 2008 at 08:40:02AM +1000, Sven Dowideit wrote:
> > This is _not_ a grave severity issue in the debian package, specifically
> > because configure (as mentioned in the advisory) is locked down using
> > apache to
> > 1 localhost
> > 2 an admin user that is created by the installer.
> >
>
> ... well, at least for version in lenny (4.1.2-4), since we have fixed #485562 previously (I'm glad we did, then ;).

It would be still nice if this could be fixed... even if
this is not a grave issue.

Cheers
Nico
--
Nico Golde - http://www.ngolde.de - ni...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

--

[Moritz Muehlenhoff]

On Tue, Oct 07, 2008 at 02:38:31PM +0200, Nico Golde wrote:
> Hi Sven,
> * Olivier Berger <olivier...@it-sudparis.eu> [2008-09-20 12:30]:
> > On Sat, Sep 20, 2008 at 08:40:02AM +1000, Sven Dowideit wrote:
> > > This is _not_ a grave severity issue in the debian package, specifically
> > > because configure (as mentioned in the advisory) is locked down using
> > > apache to
> > > 1 localhost
> > > 2 an admin user that is created by the installer.
> > >
> >
> > ... well, at least for version in lenny (4.1.2-4), since we have fixed #485562 previously (I'm glad we did, then ;).
>
> It would be still nice if this could be fixed... even if
> this is not a grave issue.

Swen, what's the status for Lenny?

Cheers,
Moritz

[Sven Dowideit]

oh crepe.

I thought we'd dealt with this already, but i was wrong.

looking into it - 4.1.2-5 here we come.

Sven

--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on

[Sven Dowideit]

I have uploaded an updated 4.1.2-5 with this and a few other things fixed.

I've emailed Ardo asking for sponsorship, but if he's not around, would
appreciate assistance :)

Sven

--
Consulting wiki Engineer
Sven Dowideit - http://fosiki.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on

[Ardo van Rangelrooij]

I'll upload it later today.

Thanks,
Ardo

Sven Dowideit wrote:
> I have uploaded an updated 4.1.2-5 with this and a few other things fixed.
>
> I've emailed Ardo asking for sponsorship, but if he's not around, would
> appreciate assistance :)
>
> Sven

--
Ardo van Rangelrooij Debian XML/SGML Group
<ar...@debian.org> <debian-xml...@lists.alioth.debian.org>
http://people.debian.org/~ardo/ http://debian-xml-sgml.alioth.debian.org/