194718 – www-apps/twiki WorkAreaDir Information leak (CVE-2007-5193)

Bug 194718 - www-apps/twiki WorkAreaDir Information leak (CVE-2007-5193)

Summary: www-apps/twiki WorkAreaDir Information leak (CVE-2007-5193)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	~4 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2007-10-04 16:45 UTC by Robert Buchholz (RETIRED)
Modified:	2007-10-09 21:55 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-10-04 16:45:25 UTC

Olivier Berger reported an information leak in twiki for plugins when using the default WorkAreaDir which might be accessible from the web.

See URL for details.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-10-04 16:46:42 UTC

web-apps, please advise.

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2007-10-09 04:26:55 UTC

No action required from our side.

The install instructions state:

2. Take a look at twiki_httpd_conf.txt and modify your Apache configs as
   needed.

twiki_httpd_conf.txt contains:

<Directory "/var/www/localhost/htdocs/twiki/pub">
	Options None
	AllowOverride Limit
...

Which will lead to .htaccess having effect in that directory.

So our default configuration is fine.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-10-09 21:55:47 UTC

Sounds reasonable.