Known Issues of TWiki Production Release 01-Feb-2003
These are known issues of the TWikiRelease01Feb2003
. This is a production ready release suitable for all TWiki servers. It had a code name of BeijingRelease
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert: Cross-site request forgery vulnerability with image tag
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
- Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
- Security alert: User could gain view access rights of another user
- Security audit: TWiki Preferences need to be secured properly
- Apache 2.0 fixes needed
- Perl 5.8 updates needed
- Fix available - note that RcsLite (all-Perl RCS implementation) is not recommended for production use yet
- Please log any RcsLite bugs to BugReports as normal
- Fix available - without this, pages can get truncated by a couple of characters, causing authentication and other problems with IE5 and IE6
Major Browser Issues
Minor Browser Issues
It's also worth checking BugReports
, which lets you track open, assigned and resolved bugs. Many bugs are quite rare, and of course there may already be a fix.
- 12 Jan 2003
I've fixed the 'pay attention to permissions' line in the TWikiUpgradeGuide
for $TWIKIROOT/lib, as per ChristianFroehler
's comment on FeedbackOnKnownIssuesOfTWiki01Feb2003
- the previous command actually broke TWiki installations by setting the wrong
directory permissions. If you are using this upgrade guide and are about to do a
command, be sure to use the online version at TWiki.org to pick up this change.
- 02 May 2003
Just out of curiosity, how will people requesting source for TWikiRelease01Feb2003
be made aware of the security issue?
- 21 Oct 2003
link was communicated by e-mail when the download form was active, now it is listed in the page where the TWiki package can be downloaded.
- 26 Oct 2003