Known Issues of TWiki 4.0.x Production Releases
These are known issues of
TWiki-4.0.0,
TWiki-4.0.1,
TWiki-4.0.2,
TWiki-4.0.3,
TWiki-4.0.4, and
TWiki-4.0.5 code named
DakarRelease.
The latest TWiki release is available at
DownloadTWiki.
Security Alerts
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- Security Alert L1: TWiki SEARCH variable allows arbitrary shell command execution
- Security Alert L3: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Security Alert L1: Arbitrary Code Execution in Configure Script
- Security Audit L3: Incorrect documentation of permission settings with empty values
- Security Alert L2: Arbitrary code execution in session files (CVE-2007-0669)
- Security Alert L3: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
- Security Alert L1: Viewfile script allows view of arbitrary files (CVE-2006-4294)
- Security Alert L1: Configure script allows arbitrary shell command execution (CVE-2006-3819)
- Security Alert L1: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert L2: Privilege elevation with crafted registration form (CVE-2006-2942)
- Security Alert L2: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
- Security Alert L2: TWiki INCLUDE function allows DoS attack on itself
Major issues
Minor issues
Hotfixes
Major issues
Fixed in |
Description |
Hotfix 4.0.4-4 |
Bugs:Item2859 - Attachments are being named the full path name instead of the filename only when uploading from Internet Explorer (introduced by Hotfix 3) |
Hotfix 4.0.4-3 |
Bugs:Item2806 - SecurityAlert-CVE-2006-4294 - viewfile doesn't follow rules for mapping attachment names |
Hotfix 4.0.4-3 |
Bugs:Item2714 TWiki-4.0.0 added the ability to add settings in "More topic actions > Edit Settings" including ALLOWTOPICVIEW and ALLOWTOPICCHANGE settings. It has recently been discovered that a simple formatted search can reveal the entire content of a topic protected by ALLOWTOPICVIEW in "Edit Settings". If a topic is protected against viewing in the good old way by having Set ALLOWTOPICVIEW in the topic text itself, the formatted search feature cannot reveal the content of the protected topic unless you have access to reading the topic alreadyl. It is OK to hide the setting inside HTML comments. This issue is now resolved in Hotfix 3 |
TWiki Access Control |
Bugs:Item2631 - The TWikiAccessControl document describes Apache rewrite rules for securing attachments which are easy to bypass. An update document with better rewrite rules are now available on TWikiAccessControl |
Hotfix 4.0.4-3 |
Bugs:Item2631 - Reset Password does not work when $TWiki::cfg{MapUserToWikiName} = 0. |
Hotfix 4.0.4-2 |
Bugs:Item2594 - Hierarchical webs and WEBLIST can make things excruciatingly slow |
Hotfix 4.0.4-2 |
Bugs:Item2669 - Configure robustness update |
Hotfix 4.0.4-1 |
Bugs:Item2595 - Emails are not stored in user topic when TWiki setup in a corporate environment |
Minor issues
Major issues
Minor Issues
Fixed in |
Description |
TWiki-4.0.4 |
Cosmetic Issue: Twisty links (such as "Show attachments" link) are shown underlined which does not match the rest of the PatternSkin graphical design. Updated PatternSkin's CSS file style.css is available for download. Replaces old file in directory /pub/TWiki/PatternSkin/ |
TWiki-4.0.4 |
Distributed LocalSite.cfg.txt file uses incorrect variable syntax. This file is normally never used for anything. When you run configure the first time a LocalSite.cfg will be created. For those that cannot run configure, you can download a corrected file from the bug report Bugs:Item2558. Do not mistake this file from the bin/LocalLib.cfg.txt which you copy to bin/LocalLib.cfg and edit as part of the installation. This file is OK. |
TWiki-4.0.4 |
Fix potential script error when attachment twisty is removed. Bugs:Item2568 |
Major issues
Major issues
Fixed in |
Description |
TWiki-4.0.2 |
Label form field content destroyed in edit-save cycle. Fixed in SVN 8770, Bugs:Item1619 |
TWiki-4.0.2 |
E-mail notification (WebNotify) not working. Reported and fixed in Bugs:Item1654, SVN8808 |
TWiki-4.0.2 |
Configure script corrupts NameFilter (Unmatched Bracket in Regex). Reported and fixed in Bugs:Item1610, SVN 9162 |
TWiki-4.0.2 |
In PatternSkin, verbatim text and large images makes everything wider than the screen. Reported in Bugs:Item1634 and resolved with Bugs:Item1672, SVN 9055 |
TWiki-4.0.2 |
TWikiJavascripts prototype.js causes crash on Internet Explorer. Reported and fixed in Bugs:Item1649, SVN 8866 |
TWiki-4.0.2 |
Move/rename attachments not possible, FILENAME AND FILEPATH not showing the file name with non-alpha characters. Reported and fixed in Bugs:Item1724, SVN 9093 |
TWiki-4.0.2 |
Simultaneous edit feature is not at all reliable. Reported and fixed in Bugs:Item1897 and Bugs:Item1921, SVN 9417. |
TWiki-4.0.2 |
"History" (rdiff) and WebChanges (changes) bypasses access restrictions. Reported and fixed in Bugs:Item1925, SVN 9420. |
TWiki-4.0.2 |
preview and rename bypasses access restrictions. Reported and fixed in Bugs:Item1925 and Bugs:Item1935, SVN 9451. |
Minor Issues
Major issues
Bug reports
Please visit
Bugs:WebHome to review and report bugs
--
Contributors: PeterThoeny - 30 Jan 2006
Discussion
EricHanson asked for this topic to be updated for release 4.0.5.
It is updated. The number of fixes on
DownloadTWiki is since 4.0.4!
I had counted the number of minor fixes as 23. There are only 21 because the same issues have been fixed twice in two cases.
--
KennethLavrsen - 01 Dec 2006
I untarred TWiki-4.0.5.tgz and horror of horrors, it had no single root in its directory. Its the first tarball to do this to me in years, and I think its bad form. Better to give instructions on copying the distribution to the right place, than to risk dumping the distro into a directory not meant for it.
--
AndrewKirkpatrick - 02 Jan 2007
Tracked in
Bugs:Item3379
--
CrawfordCurrie - 03 Jan 2007
Found a bug? Fill in a report at Bugs:WebHome
Need support? Ask your questions in the Support web, but only after reading the manual