create new tag
, view all tags

Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized users may view arbitrary files of the server file system with the viewfile script.

Vulnerable Software Version

Attack Vectors

Supply a specially crafted HTTP POST request on the TWiki viewfile script.


An intruder is able to view arbitrary files on the server file system that are readable by the webserver user, such as user nobody or wwwrun. The server can potentially be exploited by reading system files such as /etc/passwd.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-4294 to this vulnerability.


All TWiki 4.0.x releases do not sanitize the filename parameter of the viewfile script. This can used to read arbitrary files on the server. For example, http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd dispays the content of the /etc/passwd file in the browser.


  • Restrict access to the TWiki installation.
  • Apply the hotfix indicated below.

  • NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix


The accumulated Hotfix 4 for TWiki-4.0.4 contains an improved version of the View.pm module, fixing the known vulnerability. Hotfix 4 is available at TWiki:Codev.HotFix04x00x04x04. (Fix was actually released in Hotfix 3 but because of a major bug we now recommend hotfix 4)

If you prefer to fix your TWiki installation immediately, add the line with die to the twiki/lib/TWiki/UI/View.pm file:

Index: View.pm
--- View.pm     (revision 11339)
+++ View.pm     (working copy)
@@ -356,6 +356,7 @@
     my $topic = $session->{topicName};

     my $fileName = $query->param( 'filename' );
+    die "Illegal attachment name" if $fileName =~ m#[/\\]#;

     my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );

Authors and Credits

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2006-08-20 Done TWiki:Main.MinsungChoi
2. User discloses vulnerability to twiki-security 2006-08-28 Done TWiki:Main.KoenMartens
3. Developer verifies issue 2006-08-22 Done PeterThoeny
4. Developer creates fix, Bugs:Item2806 2006-08-22 Done CrawfordCurrie
5. Security team creates advisory 2006-08-31 Done PeterThoeny
6. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-09-05 Done PeterThoeny
7. Developer creates HotFix04x00x04x03 for TWiki 4.0.4 2006-09-06 Done KennethLavrsen
8. Publish advisory in Codev web and update all related topics 2006-09-07 Done PeterThoeny
9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-09-07 Done PeterThoeny
10. Bugfixed HotFix04x00x04x04 for TWiki 4.0.4 fixes bug introduced in HotFix 3 2006-09-14 Done KennethLavrsen

External Links

-- Contributors: PeterThoeny, CrawfordCurrie, KennethLavrsen - 31 Aug 2006


Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 2006-11-30 - PeterThoeny
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.