Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237843 (CVE-2008-3195)

Summary: www-apps/twiki <4.2.3 config script command execution (CVE-2008-{3195,4112})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/362012
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-16 14:40:28 UTC 
US-CERT writes:
The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files.

I. Description
TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script.

There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide.

Public exploit code has been released that targets this vulnerability. TWiki servers typically use predictable URLs and vulnerable systems may be found by querying search engines.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-17 19:39:31 UTC 
CVE-2008-4112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4112):
  Directory traversal vulnerability in bin/configure in TWiki before
  4.2.3, when a certain step in the installation guide is skipped,
  allows remote attackers to read arbitrary files via a query string
  containing a .. (dot dot) in the image variable.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:28:13 UTC 
CVE-2008-3195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3195):
  Directory traversal vulnerability in bin/configure in TWiki before
  4.2.3, when a certain step in the installation guide is skipped,
  allows remote attackers to read arbitrary files via a query string
  containing a .. (dot dot) in the image variable, and execute
  arbitrary files via unspecified vectors.
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 14:25:55 UTC 
Added twiki-4.2.3, removed vulnerable -4.1.2, -4.2.0, -4.2.2. Unstable on all arches. Webapps done.