TWiki fails to protect the CGI session directory, which may allow an attacker to execute arbitrary code with the privileges of the web server.
TWiki is a web-based collaborative publishing environment. TWiki creates CGI session files in the global /tmp directory, which is generally world readable and writable. By creating CGI session files in this directory, an attacker may be able to execute arbitrary code.
An attacker with the ability to create files in the CGI session directory (usually /tmp) may be able to execute arbitrary code with the privileges of the web server.
Apply an update
Thanks to Peter Thoeny for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2007-02-08|
|Date Last Updated:||2007-02-14 16:56 UTC|