141889 – www-apps/twiki: arbitrary shell command execution (CVE-2006-3819)

Bug 141889 - www-apps/twiki: arbitrary shell command execution (CVE-2006-3819)

Summary: www-apps/twiki: arbitrary shell command execution (CVE-2006-3819)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://twiki.org/cgi-bin/view/Codev/S...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-07-27 07:53 UTC by Matthias Geerdsen (RETIRED)
Modified:	2006-08-02 00:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2006-07-27 07:53:42 UTC

4.0.4 is vulnerable, but ~arch

details and hotfix available at the URL

--

Attack Vectors:
Supply a specially crafted HTTP POST request on the TWiki configure script.

Impact:
An intruder is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. Properly configured TWiki sites with authenticated configure script are not affected.

Severity Level:
Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability:
The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-3819 to this vulnerability.

Comment 1 Wolf Giesen (RETIRED) gentoo-dev

2006-07-27 07:57:33 UTC

It's ~arch, though.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-07-29 05:34:40 UTC

web-apps please bump when you can

Comment 3 Renat Lumpau (RETIRED) gentoo-dev

2006-08-01 14:08:44 UTC

-r1

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-02 00:33:58 UTC

Thx Renat.