lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Feb 2005 18:27:41 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: security-announce@...ts.enyo.de, full-disclosure@...ts.netsys.com,
        bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
        twiki-dev@...ts.sourceforge.net
Subject: Robustness patch for TWiki,
	vulnerability in ImageGalleryPlugin


* TWiki robustness patch

After CAN-2004-1037 was discovered in November 2004, I wrote a patch
which systematically replaces unsafe subprocess invocation constructs
in the TWiki source code.  This patch was published, submitted to the
TWiki developers, and they ported it into the DEVELOP branch:

  <http://www.enyo.de/fw/security/notes/twiki-robustness.html>

(A TWiki release which incorporates the changes from the DEVELOP
branch is still pending.)

The TWiki robustness patch should fix all shell command injection
vulnerabilities, once and for all.  It also attempts to prevent
directory traversal attacks, but I'm less confident that I have
plugged all potential holes.  (However, I'm not aware of any directory
traversal vulnerabilities in TWiki, with or without this patch.)

Due to certain circumstances which I'm not at liberty to disclose at
this point, it is STRONGLY RECOMMENDED to apply the patch to any TWiki
installation which is accessible from untrusted networks.  The patch
needs some changes to TWiki.cfg; please read the web page mentioned
above and the enclosed README file carefully.

* ImageGalleryPlugin security issue

ImageGalleryPlugin does not properly guard its configuration options
against unauthorized changes, in particular parts of the ImageMagick
commands used to generate thumbnails.  As a result, it's possible for
anyone who is able to create or edit topics with image galleries to
execute arbitrary shell commands on the web server hosting the
affected TWiki installation.

A patch for this issue is available from the same URL as above:

  <http://www.enyo.de/fw/security/notes/twiki-robustness.html>

The patch depends on the TWiki robustness patch.  Some configuration
changes are required (as explained on the web page).

Vulnerability timeline (for the ImageGalleryPlugin issue):

  2004-11-27 bug discovered and disclosed to the TWiki core developers
  2004-11-29 sent patch to the TWiki core developers
  2004-11-30 sent bug notice and patch to the plugin author
  2004-12-26 sent reminder (and patch) to the TWiki security team
  2005-02-17 sent second reminder, pending disclosure (no reply)
  2005-02-23 uncoordinated public disclosure
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists