Bug 83298

Summary:	www-apps/twiki: ImageGalleryPlugin Shell Command Injection
Product:	Gentoo Security	Reporter:	Jean-François Brunette (RETIRED) <formula7>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.enyo.de/fw/security/notes/twiki-robustness.html
Whiteboard:
Package list:		Runtime testing required:	---

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-02-25 06:43:07 UTC

CVE reference: CAN-2005-0516
 
 
Description:
Florian Weimer has reported a vulnerability in the TWiki Image Gallery plugin, which can be exploited by malicious users to compromise a vulnerable system.

The problem is that some configuration options used in ImageMagick commands can be manipulated. This can be exploited to inject arbitrary shell commands.

Successful exploitation requires that a user can create or edit image galleries.

Solution:
Edit the source code to ensure that input is properly sanitised.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-02-25 08:20:36 UTC

I /think/ the ImageGallery plugin is not in Portage. Someone please doublecheck

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2005-02-26 07:35:50 UTC

I don't see it either.

web-apps can you confirm we are not affected?

Comment 3 Aaron Walker (RETIRED) gentoo-dev

2005-03-01 07:40:27 UTC

Well I've searched and searched and I can't find anything.  I can't find any twiki plugins at all actually.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-03-01 07:57:44 UTC

OK then...