Security hole in TWiki
The developers of the Open Source Wiki enterprise collaboration platform and knowledge management system, called TWiki are, once again, reporting a security hole. The hole is found in versions 4.0.x, 4.1.0, and in previous versions that use the SessionsPlugin extension. The hole can allow local users to inject code and execute it with the web server's rights, which is especially fatal on shared-hosting platforms, where external admins can exploit the hole on the same server. They can also run unsecured web applications, in turn making the TWiki server vulnerable.
The flaw concerns the CGI session directory. Unfortunately all users have write access to this directory. Banning CGI sessions doesn't solve the problem because the server will nonetheless execute session clean-up code. The developers recommend upgrading to version 4.1.1. As a hotfix, users can also set up a directory with correct settings for access rights.