TWiki 4.1.x CSRF vulnerability (CVE-2009-1339)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
twiki (Debian) |
Fix Released
|
Unknown
|
|||
twiki (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
TWiki 4.1.x has CSRF vulnerability, it identified with CVE-2009-1339.
http://
> Impact
>
> An image tag can be crafted that, when viewed, updates pages with
> the attackers content in TWiki as the viewing user, including members
> of the TWikiAdminGroup. This can be used to gain administrator
> privileges, change access permissions and do other things.
It affected to Hardy,Intrepid,
sid/squeeze/
But, in now, we have not any actual patchs.
[References]
Original Advisory:
http://
Discussion of fix for 4.1.x about this vuln.
http://
CVE References
visibility: | private → public |
Changed in twiki (Debian): | |
status: | Unknown → New |
Changed in twiki (Debian): | |
status: | New → Fix Released |
FYI: twiki.org/ cgi-bin/ view/Codev/ SecurityAlert- CVE-2009- 1339#Minimal_ Hotfix_ for_TWiki_ Product
Patch aproach for hotfix are avaialble, but any actual patch is not written.
http://
Aproachs are: apache. conf), it prevent from GET access /messages. tmpl /oopsmore. tmpl /registerconfir m.tmpl
1) changing twiki-apache conf (/etc/twiki/
for sensitive previledged pages.
2) changing templates files. it minimal included:
* twiki/templates
* twiki/templates
* twiki/templates