TWiki INCLUDE edit denial of service

twiki-include-edit-dos (25445) The risk level is classified as LowLow Risk

Description:

TWiki could allow a remote attacker with edit rights to cause a denial of service, caused by a vulnerability in the INCLUDE function. A remote attacker could exploit this vulnerability by adding a recursive INCLUDE directive when editing a wiki page to cause the consumption of all available memory resources on the server, resulting in a denial of service.

Platforms Affected:

  • TWiki, TWiki 20010901
  • TWiki, TWiki 20011201
  • TWiki, TWiki 20030201
  • TWiki, TWiki 20040901
  • TWiki, TWiki 20040902
  • TWiki, TWiki 20040903
  • TWiki, TWiki 20040904
  • TWiki, TWiki 4.0.0
  • TWiki, TWiki 4.0.1

Remedy:

Apply the hotfix for this vulnerability or upgrade to the latest version of TWiki (4.0.2 or later), available from the TWiki Web site. See References.

Consequences:

Denial of Service

References:

  • TWiki Web site, Security Alert: TWiki INCLUDE function allows DoS Attack on Itself (CVE-2006-1387) at http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude.
  • BID-17267: TWiki Remote Denial Of Service Vulnerability
  • CVE-2006-1387: TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenticated users with edit rights to cause a denial of service (infinite recursion leading to CPU and memory consumption) via INCLUDE by URL statements that form a loop, such as a page that includes itself.
  • SA19410: TWiki Restricted Content Access and Denial of Service
  • VUPEN/ADV-2006-1116: TWiki Remote Denial of Service and Content Restriction Bypass Vulnerabilities

Reported:

Mar 25, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page