Olivier Berger
2008-Jun-10 07:24 UTC
[Secure-testing-team] Bug#485562: twiki: configure script access badly protected
Package: twiki Version: 1:4.1.2-3.1 Severity: grave Tags: security Justification: user security hole In current state of the Debian package, if nothing is changed manually to the default setup configured by the package, then TWiki''s configure script is accessible easily to unauthorized people, thus exposing (incl. changing it) the configuration of TWiki.For instance, it would be possible to change settings which may compromize the wiki''s functionning (including commands executed as www-data). Full details have already be notified (by me) to the maintainer and the security team through direct emails. A proposed patch to address this issue was also provided through direct emails too. Unfortunately, maintainer seems too busy to be able to acknowledge all that at the moment. So I''m filing this ticket so that appropriate mesures be taken regarding the possible inclusion of such a security risk in coming stable release. Hope this helps, Best regards. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, ''testing'') Architecture: i386 (i686) Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages twiki depends on: ii apache2.2-common 2.2.8-4 Next generation, scalable, extenda ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy pn libalgorithm-diff-perl <none> (no description available) ii libcgi-session-perl 4.30-1 Persistent session data in CGI app ii libdigest-sha1-perl 2.11-2+b1 NIST SHA-1 message digest algorith ii liberror-perl 0.17-1 Perl module for error/exception ha ii libhtml-parser-perl 3.56-1+b1 A collection of modules that parse pn liblocale-maketext-lexicon <none> (no description available) pn libtext-diff-perl <none> (no description available) ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin ii perl [libmime-base64-perl] 5.10.0-10 Larry Wall''s Practical Extraction ii perl-modules [libnet-perl] 5.10.0-10 Core Perl modules ii rcs 5.7-23 The GNU Revision Control System twiki recommends no packages.