| VID |
21992 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TWiki software is vulnerable to a directory traversal vulnerability via the 'filename' parameter. TWiki is a Web-based collaboration platform designed for running a project development space, document management system, and a knowledge base, written in Perl. TWiki versions 4.0.0 through 4.0.4 could allow a remote attacker to traverse directories, caused by improper filtering of user-supplied input passed to '..' (dot dot) sequence in the 'filename' parameter. A remote attacker could exploit this vulnerability to remove directories required by the application and write arbitrary content to files on the affected host.
* References:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
http://securitytracker.com/id?1016805
http://www.frsirt.com/english/advisories/2006/3524
http://secunia.com/advisories/21829
* Platforms Affected:
TWiki.org, TWiki versions 4.0.0 through 4.0.4
Any operating system Any version |
| Recommendation |
Upgrade to the TWiki version 4.0.4 and apply the latest Hotfix (3 or later), available from the TWiki Download Web site at http://twiki.org/cgi-bin/view/Codev/DownloadTWiki |
| Related URL |
CVE-2006-4294 (CVE) |
| Related URL |
19907 (SecurityFocus) |
| Related URL |
28822 (ISS) |
|
