r10 - 25 Feb 2007 - 18:31:35 - PeterThoenyYou are here: TWiki > 
Codev Web > KnownIssuesOfTWiki > TWikiSecurityAlerts
Codev Web > KnownIssuesOfTWiki > TWikiSecurityAlertsTags:
TWiki Security Alerts
 Please join thetwiki-announce list: | To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
- Security Alerts of TWiki 4.2.x Production Releases
- Security Alerts of TWiki 4.1.x Production Releases
- Security Alerts of TWiki 4.0.x Production Releases
- Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Alerts of TWiki Production Release 01-Feb-2003
- Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alerts of TWiki Production Release 01 May 2000
- TWiki Security Alert Process
- Discussions
Security Alerts of TWiki 4.2.x Production Releases
None found.- See other KnownIssuesOfTWiki04x02
Security Alerts of TWiki 4.1.x Production Releases
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- See other KnownIssuesOfTWiki04x01
Security Alerts of TWiki 4.0.x Production Releases
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- Security Alert: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
- Fix available in SecurityAlert-CVE-2006-4294, fixed in HotFix04x00x04x04 (actually fixed in hotfix 3 but it is buggy)
- Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)
- Fix available in SecurityAlertCmdExecWithConfigure, fixed in HotFix04x00x04x02
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)
- Fix available in SecurityAlertTWiki4PrivilegeElevation, fixed in TWikiRelease04x00x03
- Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
- Fix available in SecurityAlertTWiki4RdiffPreviewAccess, fixed in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude, fixed in TWikiRelease04x00x02
- See other KnownIssuesOfTWiki04x00x00
Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Patched production release TWikiRelease04Sep2004 available
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Patched production release TWikiRelease03Sep2004 available
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Patched production release TWikiRelease02Sep2004 available
- Security Audit: Check TWiki Installation for Visible Lib Directories
- Suggestion available in SecurityAuditOnVisibleLibDir
- See other KnownIssuesOfTWiki01Sep2004
Security Alerts of TWiki Production Release 01-Feb-2003
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
- Fix available in SecurityAlertGainAdminRightWithTWikiUsersMapping
- Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
- Fix available in NoShellCharacterEscapingInFileAttachComment
- Security alert: User could gain view access rights of another user
- Fix available in InsecureViewWithFailedAuthentication
- Security audit: TWiki Preferences need to be secured properly
- Instructions available in SecureTWikiPreferences
- See other KnownIssuesOfTWiki01Feb2003
Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Dec2001
Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Sep2001
Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- FileAttachmentFilterSecurityAlert:
- Files with a
.phpextension attached to a TWiki topic can be executed. This security alert describes how to protect your TWiki installation.
- Files with a
- See other KnownIssuesOfTWiki01Dec2000
Security Alerts of TWiki Production Release 01 May 2000
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- MajorSecurityProblemWithIncludeFileProcessing:
- It is possible to show the content of system files (i.e. password files) with the
%INCLUDE{"...."}%variable or the template files. The fix prevents this.
- It is possible to show the content of system files (i.e. password files) with the
- See other KnownIssuesOfTWiki01May2000
TWiki Security Alert Process
See TWikiSecurityAlertProcess and SecurityTeam. -- PeterThoeny - 07 Nov 2004Discussions
| NOTE: | Please put any general security questions in the Support web, as support questions. New security holes found should follow the TWikiSecurityAlertProcess, rather than being discussed on TWiki.org first. |
|---|
-
Codev Web
-
Readme first
-
Developers News
-
Changes
-
Major Only
- All Webs
-
RSS Feed
-
Search
- Advanced
-
Topics of interest
-
Categories
-
All tags / My tags
Create New Topic
Georgetown
TWiki 4.2.0- TWiki community
- TWiki marketing
- TWiki advocacy
- TWiki deployment
- Dev questions
- TWiki competition
- Usability
- Security
- Community
- How you can help
- Community roles
-
Answer Support questions
- Community
- #twiki (IRC)
- — logs
- Meet others
- Webs
-
Blog
- Codev
- Main
- Plugins
- Sandbox
- Support
- TWiki
- TWiki01
- TWiki02
- TWiki03
- TWiki04
- TWiki04x01
- TWiki04x02
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback