Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071)
| Please join the
| To get immediate alerts of high priority security issues, please join the low-volume
twiki-announce list - details at TWikiAnnounceMailingList
This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized users may view access restricted content with a failed login. This applies only to TWiki installations with sessions enabled using Apache 1.3, not Apache 2.x.
Vulnerable Software Version
An unauthorized user can login by cancelling out of a failed login.
An unauthorized user is able to view content in access restricted topics. Editing topics and attaching files is not impacted.
The TWiki SecurityTeam
triaged this issue as documented in TWikiSecurityAlertProcess
and assigned the following severity level:
- Severity 3 issue: TWiki content or browser is compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-6071
to this vulnerability.
Your site may be vulnerable if:
- If you have
ErrorDocument 401 set to point to the TWikiRegistration topic (or any other TWiki topic) and
- You are using ApacheLogin with TWiki-4.0 and have sessions enabled, or you are using an earlier TWiki version with SessionPlugin, and
- You are running Apache 1.3
The exploit can be used to view pages protected by TWiki permissions. It does not allow you to to gain write access. You can verify if your site is vulnerable as follows:
- Click the 'Login' link in the left bar
- Enter the login name of a valid user, but an incorrect password.
- Click "Ok"
- If apache re-prompts, enter the same username and password again
- Click "Cancel"
If your site is vulnerable you will be redirected to the TWikiRegistration topic with the valid user apparently logged in (the name appears in the left bar).
- Restrict access to the TWiki installation.
- Apply the hotfix indicated below.
- NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix
line in the Apache configuration (
(preferred) change it to point to a static HTML
page. This page can safely contain a link to the TWikiRegistration page. For example,
Your login attempt failed.
Do you want to
<a href="/cgi-bin/view/TWiki/TWikiRegistration">register in TWiki</a>?
as appropriate for your site.)
Authors and Credits
Action Plan with Timeline
-- Contributors: CrawfordCurrie
- 30 Nov 2006