[Secure-testing-team] Bug#485562: twiki: configure script access badly protected

Olivier Berger olivier.berger at it-sudparis.eu
Tue Jun 10 07:24:38 UTC 2008 

Package: twiki
Version: 1:4.1.2-3.1
Severity: grave
Tags: security
Justification: user security hole

In current state of the Debian package, if nothing is changed manually to the default setup configured by the package, then TWiki's configure script is accessible easily to unauthorized people, thus exposing (incl. changing it) the configuration of TWiki.For instance, it would be possible to change settings which may compromize the wiki's functionning (including commands executed as www-data).

Full details have already be notified (by me) to the maintainer and the security team through direct emails.

A proposed patch to address this issue was also provided through direct emails too.

Unfortunately, maintainer seems too busy to be able to acknowledge all that at the moment.

So I'm filing this ticket so that appropriate mesures be taken regarding the possible inclusion of such a security risk in coming stable release.

Hope this helps,

Best regards.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages twiki depends on:
ii  apache2.2-common           2.2.8-4       Next generation, scalable, extenda
ii  debconf [debconf-2.0]      1.5.22        Debian configuration management sy
pn  libalgorithm-diff-perl     <none>        (no description available)
ii  libcgi-session-perl        4.30-1        Persistent session data in CGI app
ii  libdigest-sha1-perl        2.11-2+b1     NIST SHA-1 message digest algorith
ii  liberror-perl              0.17-1        Perl module for error/exception ha
ii  libhtml-parser-perl        3.56-1+b1     A collection of modules that parse
pn  liblocale-maketext-lexicon <none>        (no description available)
pn  libtext-diff-perl          <none>        (no description available)
ii  liburi-perl                1.35.dfsg.1-1 Manipulates and accesses URI strin
ii  perl [libmime-base64-perl] 5.10.0-10     Larry Wall's Practical Extraction 
ii  perl-modules [libnet-perl] 5.10.0-10     Core Perl modules
ii  rcs                        5.7-23        The GNU Revision Control System

twiki recommends no packages.

More information about the Secure-testing-team mailing list