Known Issues of TWiki Production Release 01-Feb-2003

These are known issues of the TWikiRelease01Feb2003. This is a production ready release suitable for all TWiki servers. It had a code name of BeijingRelease.

Security Alerts

• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithInclude
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
• Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
  • Fix available in SecurityAlertGainAdminRightWithTWikiUsersMapping
• Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
  • Fix available in NoShellCharacterEscapingInFileAttachComment
• Security alert: User could gain view access rights of another user
  • Fix available in InsecureViewWithFailedAuthentication
• Security audit: TWiki Preferences need to be secured properly
  • Instructions available in SecureTWikiPreferences

• Note: See other TWikiSecurityAlerts

Major Issues

• Apache 2.0 fixes needed
  • Please report your experiences to IssuesWithApache2dot0
• Perl 5.8 updates needed
  • Please report your experiences to IssuesWithPerl5dot8
• MonthOutOfRangeWithRcsLite
  • Fix available - note that RcsLite (all-Perl RCS implementation) is not recommended for production use yet
  • Please log any RcsLite bugs to BugReports as normal
• ExtraneousLineInHttpHeader
  • Fix available - without this, pages can get truncated by a couple of characters, causing authentication and other problems with IE5 and IE6

Minor Issues

• ScriptToCreateNewWebWithAttachments - feature postponed
  • Right now the attachments will have to be checked and moved manually.
• Uppercase header HTML tags are not excluded from the %TOC% variable as it was the case with the previous TWiki release.
  • Fix available, UppercaseHeaderTagsRenderedInTOC
• Revised logo not included yet
  • See HighResolutionLogos and the follow-on topics: LogoCopyright, InternationalImpactOfCollaboration, TWikiTagline
• BuiltinWebPluralisationWithI18N - topics in built-in webs do not have proper pluralisation when using InternationalisationEnhancements
  • Fix available
• SiteMapIsSlow - accessing WebHome takes about twice as long as other topics, due to SiteMap
  • Workaround available
• BugWebHomeNotCalledHomePageInDocs
  • Workaround available - if you rename WebHome to something else (such as HomePage), the documentation no longer matches your install, because the documentation/default install contains lots of links to WebHome rather than %HOMETOPIC%. This can be easily fixed after install (see bug page for details).
• MinorBugs
  • Fix available for poor formatting by OperaBrowser of WebChanges and other inline searches, and problem using Change Properties from Safari browser

Minor Annoyances

• DifferencesBetweenRevisionsBroken

Major Browser Issues

• None at present

Minor Browser Issues

• Support.BrowserIssues: Known browser issues with work arounds
• Support.BrowserFormattingIssues: Known browser formatting issues

Bug reports

It's also worth checking BugReports, which lets you track open, assigned and resolved bugs. Many bugs are quite rare, and of course there may already be a fix.

Feedback

FeedbackOnKnownIssuesOfTWiki01Feb2003

-- PeterThoeny - 12 Jan 2003

I've fixed the 'pay attention to permissions' line in the TWikiUpgradeGuide for $TWIKIROOT/lib, as per ChristianFroehler's comment on FeedbackOnKnownIssuesOfTWiki01Feb2003 - the previous command actually broke TWiki installations by setting the wrong lib directory permissions. If you are using this upgrade guide and are about to do a chmod command, be sure to use the online version at TWiki.org to pick up this change.

-- RichardDonkin - 02 May 2003

Just out of curiosity, how will people requesting source for TWikiRelease01Feb2003 be made aware of the security issue?

-- SamHasler - 21 Oct 2003

The KnownIssuesOfTWiki01Feb2003 link was communicated by e-mail when the download form was active, now it is listed in the page where the TWiki package can be downloaded.

-- PeterThoeny - 26 Oct 2003