The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files.
TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script.
There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide.
A remote attacker may be able to execute arbitrary commands or view arbitrary configuration files on a vulnerable system.
TWiki versions 4.2.0 and higher
Thanks to the TWiki team for information that was used in this report.
This document was written by Ryan Giobbi.
|Date First Published:||2008-09-12|
|Date Last Updated:||2008-09-17 11:45 UTC|