TWiki vulnerable to malicious attacks
The wiki application TWiki can be coerced by attackers to execute arbitrary commands. An advisory issued by US-CERT says that all versions up to and including version 4.2.2 are vulnerable. The problem centres around the twiki/bin/configure
script.
If this configuration script for TWiki has not been secured by the person installing TWiki, as detailed in step 8 of the TWiki installation guide, then attackers can execute and exploit the script because TWiki also fails to validate certain URLs. TWiki's developers have fixed the issue and released version 4.2.3 as a recommended security update.
According to US-CERT, publicly available exploit code for the flaw is already circulating on the internet, so Twiki administrators should immediately move to the new version. If, for administrative reasons, this cannot be done, the developers also offer a fixed version of the configure script which offers provisional protection.
See also:
- TWiki command execution vulnerability, US-CERT advisory
(djwm)