Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0177
A vulnerability has been identified in TWiki
20 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: TWiki
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-6330 CVE-2012-6329
Member content until: Saturday, January 19 2013
OVERVIEW
A number of vulnerabilities have been identified in TWiki versions
4.0.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x and 5.1.0 through 5.1.2. [1]
IMPACT
The vendor has provided the following description regarding this
vulnerabilities:
CVE-2012-6329: "An unauthenticated remote attacker can execute
arbitrary shell commands as the webserver user, such as user
nobody." [1]
CVE-2012-6330: "Excessive memory allocation: %MAKETEXT{"This is
[_9999999999999999] Evil"}% will consume all memory and swap space
attempting to initialize all missing entries in the parameters
array." [1]
MITIGATION
The vendor has provided the following mitigations which includes
the application of a hotfix:
"One of:
* Disable localization by setting configure flag
{UserInterfaceInternationalisation} to 0.
* Apply hotfix (see patch below).
* Upgrade to the latest patched production release
TWiki-5.1.3 (TWikiRelease05x01x03) when available.
In addition:
* Install CPAN:Locale::Maketext version 1.23 or newer.
* Use the {SafeEnvPath} configure setting to restrict the possible
directories that are searched for executables. By default, this
is the PATH used by the webserver user. Set {SafeEnvPath} to a
list of non-writable directories, such as "/bin:/usr/bin". " [1]
REFERENCES
[1] Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows
Arbitrary Shell Command Execution
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUNKuy+4yVqjM2NGpAQJI7g//WAud1sQrVZL/nubq9DS7B9oJWDzMUMdP
xO0UenuAhOflIvkJR4yWFsr85I1672f4AIEqbYQWcyehWROvWM068z4pzl3qRUhN
KYetptEsNJldU6uSfjHc79LQjUhmMEEEsVZWQI04JyecxFBl0o1Obu8pju/NwjiX
Qp1jVBRkEZMoYpCZQY4feLoOdF9NGoChZZsOHXDNBSwEddQb3DilYygKwcdhJkYJ
Vped16JVXUukDII2hQW1iTZz012XfHnCtiKHgrBVXeZkP+qB1cdZVvW7/LRU2hLB
dynmL93/r97XhYbfCumL27A4zOCGoTGONYvSgrDzu8VS+oDWnfozeNBeV+EsKOvX
PExofhVRk6amgpChgY2Xe7zkfhREEa3hYa0ShixL924P2dy4mTiBqhXFcKx8X5jm
43UkIf8E9r4EfQJZe3ZhTc2zNhEUtw5C1K4sJgFes8TW3Dmeb2prnstmTxSWqScV
HTUmbKOplXHnIA77EicLN7CDIVRtjxe7UmOf43s8B+c6x+FBfF6SzifSQMZZZmiu
YJ1d9Yp5bj5/TzQm8yC0TgpErUbntZ2X+B/pyx/Wjzj9cxC2ISecT0+ZihPUx5//
NQa78Boqd+x2hIPQyoAcs21bjP74cjwtyACiRFbEZ6meXAw4IWXC8jg4JXSsTEWn
0VedBtKRtRc=
=S86Q
-----END PGP SIGNATURE-----