237843 CVE-2008-3195 2008-09-16 14:40 0000 www-apps/twiki <4.2.3 config script command execution (CVE-2008-{3195,4112}) 2008-09-21 14:48:44 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.kb.cert.org/vuls/id/362012 ~1 [noglsa] P2 trivial --- 1 rbu@gentoo.org security@gentoo.org rbu@gentoo.org 2008-09-16 14:40:28 0000 US-CERT writes: The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files. I. Description TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script. There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide. Public exploit code has been released that targets this vulnerability. TWiki servers typically use predictable URLs and vulnerable systems may be found by querying search engines. rbu@gentoo.org 2008-09-17 19:39:31 0000 CVE-2008-4112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4112): Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable. rbu@gentoo.org 2008-09-19 15:28:13 0000 CVE-2008-3195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3195): Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable, and execute arbitrary files via unspecified vectors. wrobel@gentoo.org 2008-09-21 14:25:55 0000 Added twiki-4.2.3, removed vulnerable -4.1.2, -4.2.0, -4.2.2. Unstable on all arches. Webapps done.