TWiki rdiff and preview restricted content access
| twiki-restricted-content-access (25444) |  Medium Risk |
Description:
TWiki could allow a remote attacker to gain access to restricted content. The rdiff and preview scripts fail to enforce access control restrictions. A remote attacker could use these scripts to gain unauthorized access to restricted TWiki content.
Consequences:
Obtain Information
Remedy:
Apply the hotfix for this vulnerability or upgrade to the latest version of TWiki (4.0.2 or later), available from the TWiki Web site. See References.
References:
- TWiki Web site: Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings (CVE-2006-1386).
- BID-17268: TWiki Remote Information Disclosure Vulnerability
- CVE-2006-1386: The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore access control settings, which allows remote attackers to read restricted areas and access restricted content in TWiki topics.
- SA19410: TWiki Restricted Content Access and Denial of Service
- SECTRACK ID: 1015843: TWiki Access Control Bugs in rdiff and preview May Let Remote Users Access Restricted Content
- VUPEN/ADV-2006-1116: TWiki Remote Denial of Service and Content Restriction Bypass Vulnerabilities
Platforms Affected:
- TWiki TWiki 4.0.0
- TWiki TWiki 4.0.1
Reported:
Mar 25, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net