TWiki Security Alerts

Please join the twiki-announce list: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

These are security alerts compiled from the KnownIssuesOfTWiki topics:

Security Alerts of TWiki 4.3.x Production Releases

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1

• See other KnownIssuesOfTWiki04x03

Security Alerts of TWiki 4.2.x Production Releases

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
  • Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
• Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
  • Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
• Security Alert: Arbitrary Code Execution in Configure Script
  • Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3

• See other KnownIssuesOfTWiki04x02

Security Alerts of TWiki 4.1.x Production Releases

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
  • Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
• Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
  • Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
• Security Alert: Arbitrary Code Execution in Configure Script
  • Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3
• Security Audit: Incorrect documentation of permission settings with empty values
  • Suggestion available in SecurityAuditEmptyPermissions
• Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
  • Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1

• See other KnownIssuesOfTWiki04x01

Security Alerts of TWiki 4.0.x Production Releases

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
  • Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
• Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
  • Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
• Security Alert: Arbitrary Code Execution in Configure Script
  • Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3
• Security Audit: Incorrect documentation of permission settings with empty values
  • Suggestion available in SecurityAuditEmptyPermissions
• Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
  • Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
• Security Alert: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
  • Fix available in SecurityAlert-CVE-2006-6071
• Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
  • Fix available in SecurityAlert-CVE-2006-4294, fixed in HotFix04x00x04x04 (actually fixed in hotfix 3 but it is buggy)
• Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)
  • Fix available in SecurityAlertCmdExecWithConfigure, fixed in HotFix04x00x04x02
• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)
  • Fix available in SecurityAlertTWiki4PrivilegeElevation, fixed in TWikiRelease04x00x03
• Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
  • Fix available in SecurityAlertTWiki4RdiffPreviewAccess, fixed in TWikiRelease04x00x02
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude, fixed in TWikiRelease04x00x02

• See other KnownIssuesOfTWiki04x00x00

Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
  • Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
• Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
  • Fix available in SecurityAlert-CVE-2006-6071
• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithInclude
  • Patched production release TWikiRelease04Sep2004 available
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
  • Patched production release TWikiRelease03Sep2004 available
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
  • Patched production release TWikiRelease02Sep2004 available
• Security Audit: Check TWiki Installation for Visible Lib Directories
  • Suggestion available in SecurityAuditOnVisibleLibDir

• See other KnownIssuesOfTWiki01Sep2004

Security Alerts of TWiki Production Release 01-Feb-2003

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithInclude
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
• Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
  • Fix available in SecurityAlertGainAdminRightWithTWikiUsersMapping
• Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
  • Fix available in NoShellCharacterEscapingInFileAttachComment
• Security alert: User could gain view access rights of another user
  • Fix available in InsecureViewWithFailedAuthentication
• Security audit: TWiki Preferences need to be secured properly
  • Instructions available in SecureTWikiPreferences

• See other KnownIssuesOfTWiki01Feb2003

Security Alerts of TWiki Production Release 01 Dec 2001

• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch

• See other KnownIssuesOfTWiki01Dec2001

Security Alerts of TWiki Production Release 01 Sep 2001

• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch

• See other KnownIssuesOfTWiki01Sep2001

Security Alerts of TWiki Production Release 01 Dec 2000

• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
• FileAttachmentFilterSecurityAlert:
  • Files with a .php extension attached to a TWiki topic can be executed. This security alert describes how to protect your TWiki installation.

• See other KnownIssuesOfTWiki01Dec2000

Security Alerts of TWiki Production Release 01 May 2000

• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
• MajorSecurityProblemWithIncludeFileProcessing:
  • It is possible to show the content of system files (i.e. password files) with the %INCLUDE{"...."}% variable or the template files. The fix prevents this.

• See other KnownIssuesOfTWiki01May2000

TWiki Security Alert Process

See TWikiSecurityAlertProcess and SecurityTeam.

-- PeterThoeny - 07 Nov 2004

Discussions

NOTE: Please put any general security questions in the Support web, as support questions. New security holes found should follow the TWikiSecurityAlertProcess, rather than being discussed on TWiki.org first.