Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83298

Summary: www-apps/twiki: ImageGalleryPlugin Shell Command Injection
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.enyo.de/fw/security/notes/twiki-robustness.html
Whiteboard:
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-25 06:43:07 UTC
CVE reference: CAN-2005-0516
 
 
Description:
Florian Weimer has reported a vulnerability in the TWiki Image Gallery plugin, which can be exploited by malicious users to compromise a vulnerable system.

The problem is that some configuration options used in ImageMagick commands can be manipulated. This can be exploited to inject arbitrary shell commands.

Successful exploitation requires that a user can create or edit image galleries.

Solution:
Edit the source code to ensure that input is properly sanitised.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:20:36 UTC
I /think/ the ImageGallery plugin is not in Portage. Someone please doublecheck
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-26 07:35:50 UTC
I don't see it either.

web-apps can you confirm we are not affected?
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-03-01 07:40:27 UTC
Well I've searched and searched and I can't find anything.  I can't find any twiki plugins at all actually.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 07:57:44 UTC
OK then...