TWiki 4.1.x CSRF vulnerability (CVE-2009-1339)
Bug #383085 reported by
Fumihito YOSHIDA
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| twiki (Debian) |
Fix Released
|
Unknown
|
|||
| twiki (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
TWiki 4.1.x has CSRF vulnerability, it identified with CVE-2009-1339.
http://
> Impact
>
> An image tag can be crafted that, when viewed, updates pages with
> the attackers content in TWiki as the viewing user, including members
> of the TWikiAdminGroup. This can be used to gain administrator
> privileges, change access permissions and do other things.
It affected to Hardy,Intrepid,
sid/squeeze/
But, in now, we have not any actual patchs.
[References]
Original Advisory:
http://
Discussion of fix for 4.1.x about this vuln.
http://
CVE References
| visibility: | private → public |
Revision history for this message
| Fumihito YOSHIDA (hito) wrote | #1 |
| Changed in twiki (Debian): | |
| status: | Unknown → New |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in twiki (Ubuntu): | |
| status: | New → Confirmed |
| Changed in twiki (Debian): | |
| status: | New → Fix Released |
Revision history for this message
| dino99 (9d9) wrote | #3 |
| Changed in twiki (Ubuntu): | |
| status: | Confirmed → Invalid |
To post a comment you must log in.
FYI:
Patch aproach for hotfix are avaialble, but any actual patch is not written.
http://
Aproachs are:
1) changing twiki-apache conf (/etc/twiki/
for sensitive previledged pages.
2) changing templates files. it minimal included:
* twiki/templates
* twiki/templates
* twiki/templates