TWiki Security Alerts
Get Involved!
TWiki is an open source project with 10+ years of history, built by a team of volunteers from around the world, and used by millions of people in over 100 countries. The community is focusing on building the best collaboration platform for the workplace. We invite you to
get involved!
Please join the twiki-announce list: To get immediate alerts of high priority security issues, please join the low-volume
twiki-announce
list - details at
TWikiAnnounceMailingList
These are security alerts compiled from the
KnownIssuesOfTWiki topics:
Security Alerts of TWiki 6.1.x Production Releases
Security Alerts of TWiki 6.0.x Production Releases
- Security Alert L3: XSS Vulnerability with TWiki user registration
- Security Alert L3: XSS Vulnerability with QUERYSTRING and QUERYPARAMSTRING Variables
- Security Alert L3: XSS Vulnerability with Scope and Other URL Parameters of WebSearch
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- See other KnownIssuesOfTWiki06x00
Security Alerts of TWiki 5.1.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- See other KnownIssuesOfTWiki05x01
Security Alerts of TWiki 5.0.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- See other KnownIssuesOfTWiki05x00
Security Alerts of TWiki 4.3.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- See other KnownIssuesOfTWiki04x03
Security Alerts of TWiki 4.2.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- Security Alert L1: TWiki SEARCH variable allows arbitrary shell command execution
- Security Alert L3: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Security Alert L1: Arbitrary Code Execution in Configure Script
- See other KnownIssuesOfTWiki04x02
Security Alerts of TWiki 4.1.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- Security Alert L1: TWiki SEARCH variable allows arbitrary shell command execution
- Security Alert L3: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Security Alert L1: Arbitrary Code Execution in Configure Script
- Security Audit L3: Incorrect documentation of permission settings with empty values
- Security Alert L2: Arbitrary code execution in session files (CVE-2007-0669)
- See other KnownIssuesOfTWiki04x01
Security Alerts of TWiki 4.0.x Production Releases
- Security Alert L1: Remote Perl code execution with query string to debug TWiki plugins
- Security Alert L1: Apache configuration file upload on TWiki on Windows server
- Security Alert L1: MAKETEXT variable allows arbitrary shell command execution
- Security Alert L3: XSS Vulnerability with topic create and slideshows
- Security Alert L3: XSS Vulnerability with origurl parameter of login script
- Security Alert L3: XSS Vulnerability with rev parameter & login script
- Security Audit L3: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert L2: Cross-site request forgery vulnerability with image tag
- Security Alert L1: TWiki SEARCH variable allows arbitrary shell command execution
- Security Alert L3: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Security Alert L1: Arbitrary Code Execution in Configure Script
- Security Audit L3: Incorrect documentation of permission settings with empty values
- Security Alert L2: Arbitrary code execution in session files (CVE-2007-0669)
- Security Alert L3: Login bypass allows view of access restricted content, on Apache 1.3 only (CVE-2006-6071)
- Security Alert L1: Viewfile script allows view of arbitrary files (CVE-2006-4294)
- Security Alert L1: Configure script allows arbitrary shell command execution (CVE-2006-3819)
- Security Alert L1: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert L2: Privilege elevation with crafted registration form (CVE-2006-2942)
- Security Alert L2: TWiki Rdiff and Preview Scripts Ignore Access Control Settings
- Security Alert L2: TWiki INCLUDE function allows DoS attack on itself
- See other KnownIssuesOfTWiki04x00x00
Security Alerts of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert: Cross-site request forgery vulnerability with image tag
- Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
- Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- Security Audit: Check TWiki Installation for Visible Lib Directories
- See other KnownIssuesOfTWiki01Sep2004
Security Alerts of TWiki Production Release 01-Feb-2003
- Security Audit: Crypt token based fix for cross-site request forgery vulnerability
- Security Alert: Cross-site request forgery vulnerability with image tag
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- Security alert: A registered TWiki user may gain admin rights by manipulating the TWikiUsers topic.
- Security alert: Meta characters can be passed through to the shell when attaching files, potentially allowing the execution of arbitrary shell commands
- Security alert: User could gain view access rights of another user
- Security audit: TWiki Preferences need to be secured properly
- See other KnownIssuesOfTWiki01Feb2003
Security Alerts of TWiki Production Release 01 Dec 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- See other KnownIssuesOfTWiki01Dec2001
Security Alerts of TWiki Production Release 01 Sep 2001
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki INCLUDE function allows DoS attack on itself
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- See other KnownIssuesOfTWiki01Sep2001
Security Alerts of TWiki Production Release 01 Dec 2000
- Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
- Security Alert: TWiki history function allows arbitrary shell command execution
- Security Alert: TWiki search function allows arbitrary shell command execution
- Security Alert: Files with a
.php
extension attached to a TWiki topic can be executed
- See other KnownIssuesOfTWiki01Dec2000
Security Alerts of TWiki Production Release 01 May 2000
- Security Alert: TWiki search function allows arbitrary shell command execution
- Security Alert: It is possible to show the content of system files (i.e. password files) with the
%INCLUDE{"...."}%
variable or the template files
- See other KnownIssuesOfTWiki01May2000
TWiki Security Alert Process
See
TWikiSecurityAlertProcess and
SecurityTeam.
--
PeterThoeny - 07 Nov 2004
Discussions
NOTE: |
Please put any general security questions in the Support web, as support questions. New security holes found should follow the TWikiSecurityAlertProcess, rather than being discussed on TWiki.org first. |