In association with heise online

15 September 2008, 14:16

TWiki vulnerable to malicious attacks

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The wiki application TWiki can be coerced by attackers to execute arbitrary commands. An advisory issued by US-CERT says that all versions up to and including version 4.2.2 are vulnerable. The problem centres around the twiki/bin/configure script.

If this configuration script for TWiki has not been secured by the person installing TWiki, as detailed in step 8 of the TWiki installation guide, then attackers can execute and exploit the script because TWiki also fails to validate certain URLs. TWiki's developers have fixed the issue and released version 4.2.3 as a recommended security update.

According to US-CERT, publicly available exploit code for the flaw is already circulating on the internet, so Twiki administrators should immediately move to the new version. If, for administrative reasons, this cannot be done, the developers also offer a fixed version of the configure script which offers provisional protection.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit