You are here: TWiki>
Codev Web>KnownIssuesOfTWiki>TWikiSecurityAlerts (2007-02-25, PeterThoeny)
Codev Web>KnownIssuesOfTWiki>TWikiSecurityAlerts (2007-02-25, PeterThoeny)TWiki Security Alerts
|
|||
- Security Alerts of TWiki 4.3.x Production Releases
- Security Alerts of TWiki 4.2.x Production Releases
- Security Alerts of TWiki 4.1.x Production Releases
- Security Alerts of TWiki 4.0.x Production Releases
- Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Alerts of TWiki Production Release 01-Feb-2003
- Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alerts of TWiki Production Release 01 May 2000
- TWiki Security Alert Process
- Discussions
Security Alerts of TWiki 4.3.x Production Releases
-
Security Alert: Cross-site request forgery vulnerability with image tag - Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- See other KnownIssuesOfTWiki04x03
Security Alerts of TWiki 4.2.x Production Releases
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3
- See other KnownIssuesOfTWiki04x02
Security Alerts of TWiki 4.1.x Production Releases
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- See other KnownIssuesOfTWiki04x01
Security Alerts of TWiki 4.0.x Production Releases
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
- Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
- Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3
- Security Audit: Incorrect documentation of permission settings with empty values
- Suggestion available in SecurityAuditEmptyPermissions
- Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- Security Alert: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
- Fix available in SecurityAlert-CVE-2006-4294, fixed in HotFix04x00x04x04 (actually fixed in hotfix 3 but it is buggy)
- Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)
- Fix available in SecurityAlertCmdExecWithConfigure, fixed in HotFix04x00x04x02
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)
- Fix available in SecurityAlertTWiki4PrivilegeElevation, fixed in TWikiRelease04x00x03
- Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
- Fix available in SecurityAlertTWiki4RdiffPreviewAccess, fixed in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude, fixed in TWikiRelease04x00x02
- See other KnownIssuesOfTWiki04x00x00
Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
- Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
- Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
- Fix available in SecurityAlert-CVE-2006-6071
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Patched production release TWikiRelease04Sep2004 available
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Patched production release TWikiRelease03Sep2004 available
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Patched production release TWikiRelease02Sep2004 available
- Security Audit: Check TWiki Installation for Visible Lib Directories
- Suggestion available in SecurityAuditOnVisibleLibDir
- See other KnownIssuesOfTWiki01Sep2004
Security Alerts of TWiki Production Release 01-Feb-2003
- Security Alert: Cross-site request forgery vulnerability with image tag
- Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithInclude
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
- Fix available in SecurityAlertGainAdminRightWithTWikiUsersMapping
- Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
- Fix available in NoShellCharacterEscapingInFileAttachComment
- Security alert: User could gain view access rights of another user
- Fix available in InsecureViewWithFailedAuthentication
- Security audit: TWiki Preferences need to be secured properly
- Instructions available in SecureTWikiPreferences
- See other KnownIssuesOfTWiki01Feb2003
Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Dec2001
Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- See other KnownIssuesOfTWiki01Sep2001
Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
- Security Alert: TWiki history function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithRev
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- FileAttachmentFilterSecurityAlert:
- Files with a
.phpextension attached to a TWiki topic can be executed. This security alert describes how to protect your TWiki installation.
- Files with a
- See other KnownIssuesOfTWiki01Dec2000
Security Alerts of TWiki Production Release 01 May 2000
- Security Alert: TWiki search function allows arbitrary shell command execution
- Fix available in SecurityAlertExecuteCommandsWithSearch
- MajorSecurityProblemWithIncludeFileProcessing:
- It is possible to show the content of system files (i.e. password files) with the
%INCLUDE{"...."}%variable or the template files. The fix prevents this.
- It is possible to show the content of system files (i.e. password files) with the
- See other KnownIssuesOfTWiki01May2000
TWiki Security Alert Process
See TWikiSecurityAlertProcess and SecurityTeam. -- PeterThoeny - 07 Nov 2004Discussions
|
|||
Topic revision: r10 - 2007-02-25 - 18:31:35 - PeterThoeny
-
Codev Web
-
Readme first
-
Developers News
-
Changes
-
Major Only
- All Webs
-
RSS Feed
-
Search
- Advanced
-
Topics of interest
-
Categories
-
All tags / My tags
Create New Topic
Helsinki
TWiki 4.3.1- TWiki community
- TWiki marketing
- TWiki advocacy
- TWiki deployment
- Dev questions
- TWiki competition
- Usability
- Security
- Community
- How you can help
- Community roles
-
Answer Support questions
- Community
- #twiki (IRC)
- — logs
- Meet others
- Webs
-
Blog
- Codev
- Main
- Plugins
- Sandbox
- Support
- TWiki
- TWiki01
- TWiki02
- TWiki03
- TWiki04
- TWiki04x01
- TWiki04x02
- TWiki04x03
Ideas, requests, problems regarding TWiki? Send feedback
Copyright © 1999-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.