Vulnerability Note VU#584436
TWiki vulnerable to arbitrary code execution via CGI session files
TWiki fails to protect the CGI session directory, which may allow an attacker to execute arbitrary code with the privileges of the web server.
TWiki is a web-based collaborative publishing environment. TWiki creates CGI session files in the global /tmp directory, which is generally world readable and writable. By creating CGI session files in this directory, an attacker may be able to execute arbitrary code.
An attacker with the ability to create files in the CGI session directory (usually /tmp) may be able to execute arbitrary code with the privileges of the web server.
Apply an update
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|TWiki||Affected||-||08 Feb 2007|
CVSS Metrics (Learn More)
Thanks to Peter Thoeny for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2007-0669
- Date Public: 08 Feb 2007
- Date First Published: 08 Feb 2007
- Date Last Updated: 14 Feb 2007
- Severity Metric: 5.91
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.