TWiki Security Alerts
Get Involved!
TWiki is an open source project with 13 years of history, built by a team of volunteers from around the world, and used by millions of people in over 100 countries. The community is focusing on building the best collaboration platform for the workplace. We invite you to get involved!
 Please join thetwiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
TWiki User Organization Script Insertion Vulnerability - False Alarm 2012-01-31
These are security alerts compiled from the KnownIssuesOfTWiki topics:
- Security Alerts of TWiki 5.1.x Production Releases
- Security Alerts of TWiki 5.0.x Production Releases
- Security Alerts of TWiki 4.3.x Production Releases
- Security Alerts of TWiki 4.2.x Production Releases
- Security Alerts of TWiki 4.1.x Production Releases
- Security Alerts of TWiki 4.0.x Production Releases
- Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Alerts of TWiki Production Release 01-Feb-2003
- Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alerts of TWiki Production Release 01 May 2000
- TWiki Security Alert Process
- Discussions
Security Alerts of TWiki 5.1.x Production Releases
- (none)
- See other KnownIssuesOfTWiki05x01
Security Alerts of TWiki 5.0.x Production Releases
- Security Alert: XSS Vulnerability with topic create and slideshows
- Fix available in SecurityAlert-CVE-2011-3010, fixed in TWiki-5.1.0
- Security Alert: XSS Vulnerability with origurl parameter of login script
- Fix available in SecurityAlert-CVE-2011-1838, fixed in TWiki-5.0.2
- Security Alert: XSS Vulnerability with rev parameter & login script
- Fix available in SecurityAlert-CVE-2010-3841, fixed in TWiki-5.0.1
- See other KnownIssuesOfTWiki05x00
Security Alerts of TWiki 4.3.x Production Releases
- Security Alert: XSS Vulnerability with topic create and slideshows
- Fix available in SecurityAlert-CVE-2011-3010, fixed in TWiki-5.1.0
- Security Alert: XSS Vulnerability with origurl parameter of login script
- Fix available in SecurityAlert-CVE-2011-1838, fixed in TWiki-5.0.2
- Security Alert: XSS Vulnerability with rev parameter & login script
- Fix available in SecurityAlert-CVE-2010-3841, fixed in TWiki-5.0.1
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki-4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki-4.3.1
- See other KnownIssuesOfTWiki04x03
Security Alerts of TWiki 4.2.x Production Releases
- Security Alert: XSS Vulnerability with topic create and slideshows
- Fix available in SecurityAlert-CVE-2011-3010, fixed in TWiki-5.1.0
- Security Alert: XSS Vulnerability with origurl parameter of login script
- Fix available in SecurityAlert-CVE-2011-1838, fixed in TWiki-5.0.2
- Security Alert: XSS Vulnerability with rev parameter & login script
- Fix available in SecurityAlert-CVE-2010-3841, fixed in TWiki-5.0.1
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki-4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki-4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki-4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki-4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki-4.2.3
- See other KnownIssuesOfTWiki04x02
Security Alerts of TWiki 4.1.x Production Releases
- Security Alert: XSS Vulnerability with topic create and slideshows
- Fix available in SecurityAlert-CVE-2011-3010, fixed in TWiki-5.1.0
- Security Alert: XSS Vulnerability with origurl parameter of login script
- Fix available in SecurityAlert-CVE-2011-1838, fixed in TWiki-5.0.2
- Security Alert: XSS Vulnerability with rev parameter & login script
- Fix available in SecurityAlert-CVE-2010-3841, fixed in TWiki-5.0.1
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki-4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki-4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki-4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki-4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki-4.2.3
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki-4.1.1
- See other KnownIssuesOfTWiki04x01
Security Alerts of TWiki 4.0.x Production Releases
- Security Alert: XSS Vulnerability with topic create and slideshows
- Fix available in SecurityAlert-CVE-2011-3010, fixed in TWiki-5.1.0
- Security Alert: XSS Vulnerability with origurl parameter of login script
- Fix available in SecurityAlert-CVE-2011-1838, fixed in TWiki-5.0.2
- Security Alert: XSS Vulnerability with rev parameter & login script
- Fix available in SecurityAlert-CVE-2010-3841, fixed in TWiki-5.0.1
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki-4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki-4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki-4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki-4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki-4.2.3
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki-4.1.1
- Security Alert: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
- Fix available in SecurityAlert-CVE-2006-4294, fixed in HotFix04x00x04x04 (actually fixed in hotfix 3 but it is buggy)
- Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)
- Fix available in SecurityAlertCmdExecWithConfigure, fixed in HotFix04x00x04x02
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)
- Fix available in SecurityAlertTWiki4PrivilegeElevation, fixed in TWikiRelease04x00x03
- Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
- Fix available in SecurityAlertTWiki4RdiffPreviewAccess, fixed in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude, fixed in TWikiRelease04x00x02
- See other KnownIssuesOfTWiki04x00x00
Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Patched production release TWikiRelease04Sep2004 available
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Patched production release TWikiRelease03Sep2004 available
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Patched production release TWikiRelease02Sep2004 available
- Security Audit: Check TWiki Installation for Visible Lib Directories
- Suggestion available in SecurityAuditOnVisibleLibDir
- See other KnownIssuesOfTWiki01Sep2004
Security Alerts of TWiki Production Release 01-Feb-2003
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
- Fix available in SecurityAlertGainAdminRightWithTWikiUsersMapping
- Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
- Fix available in NoShellCharacterEscapingInFileAttachComment
- Security alert: User could gain view access rights of another user
- Fix available in InsecureViewWithFailedAuthentication
- Security audit: TWiki Preferences need to be secured properly
- Instructions available in SecureTWikiPreferences
- See other KnownIssuesOfTWiki01Feb2003
Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Dec2001
Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Sep2001
Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Security Alert: Files with a
.phpextension attached to a TWiki topic can be executed- Fix available in FileAttachmentFilterSecurityAlert
- See other KnownIssuesOfTWiki01Dec2000
Security Alerts of TWiki Production Release 01 May 2000
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Security Alert: It is possible to show the content of system files (i.e. password files) with the
%INCLUDE{"...."}%variable or the template files- Fix available in MajorSecurityProblemWithIncludeFileProcessing
- See other KnownIssuesOfTWiki01May2000
TWiki Security Alert Process
See TWikiSecurityAlertProcess and SecurityTeam. -- PeterThoeny - 07 Nov 2004Discussions
| NOTE: |
Please put any general security questions in the Support web, as support questions. New security holes found should follow the TWikiSecurityAlertProcess, rather than being discussed on TWiki.org first. |
|---|
Topic revision: r13 - 2012-02-01 - PeterThoeny
Home 
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Jerusalem Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.