[Bug 383085] [NEW] TWiki 4.1.x CSRF vulnerability (CVE-2009-1339)
Fumihito YOSHIDA
hito at kugutsu.org
Wed Jun 3 09:04:08 UTC 2009
*** This bug is a security vulnerability ***
Public security bug reported:
TWiki 4.1.x has CSRF vulnerability, it identified with CVE-2009-1339.
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2009-1339
> Impact
>
> An image tag can be crafted that, when viewed, updates pages with
> the attackers content in TWiki as the viewing user, including members
> of the TWikiAdminGroup. This can be used to gain administrator
> privileges, change access permissions and do other things.
It affected to Hardy,Intrepid,Jaunty,Karmic, and also affected Debian
sid/squeeze/lenny/etch too.
But, in now, we have not any actual patchs.
[References]
Original Advisory:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2009-1339
Discussion of fix for 4.1.x about this vuln.
http://twiki.org/cgi-bin/view/Support/SID-00289
** Affects: twiki (Ubuntu)
Importance: Undecided
Status: New
** Affects: twiki (Debian)
Importance: Unknown
Status: New
** Visibility changed to: Public
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1339
** Bug watch added: Debian Bug tracker #526258
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526258
** Also affects: twiki (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526258
Importance: Unknown
Status: Unknown
--
TWiki 4.1.x CSRF vulnerability (CVE-2009-1339)
https://bugs.launchpad.net/bugs/383085
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list