Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0177 A vulnerability has been identified in TWiki 20 December 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TWiki Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-6330 CVE-2012-6329 Member content until: Saturday, January 19 2013 OVERVIEW A number of vulnerabilities have been identified in TWiki versions 4.0.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x and 5.1.0 through 5.1.2. [1] IMPACT The vendor has provided the following description regarding this vulnerabilities: CVE-2012-6329: "An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody." [1] CVE-2012-6330: "Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999] Evil"}% will consume all memory and swap space attempting to initialize all missing entries in the parameters array." [1] MITIGATION The vendor has provided the following mitigations which includes the application of a hotfix: "One of: * Disable localization by setting configure flag {UserInterfaceInternationalisation} to 0. * Apply hotfix (see patch below). * Upgrade to the latest patched production release TWiki-5.1.3 (TWikiRelease05x01x03) when available. In addition: * Install CPAN:Locale::Maketext version 1.23 or newer. * Use the {SafeEnvPath} configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin". " [1] REFERENCES [1] Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUNKuy+4yVqjM2NGpAQJI7g//WAud1sQrVZL/nubq9DS7B9oJWDzMUMdP xO0UenuAhOflIvkJR4yWFsr85I1672f4AIEqbYQWcyehWROvWM068z4pzl3qRUhN KYetptEsNJldU6uSfjHc79LQjUhmMEEEsVZWQI04JyecxFBl0o1Obu8pju/NwjiX Qp1jVBRkEZMoYpCZQY4feLoOdF9NGoChZZsOHXDNBSwEddQb3DilYygKwcdhJkYJ Vped16JVXUukDII2hQW1iTZz012XfHnCtiKHgrBVXeZkP+qB1cdZVvW7/LRU2hLB dynmL93/r97XhYbfCumL27A4zOCGoTGONYvSgrDzu8VS+oDWnfozeNBeV+EsKOvX PExofhVRk6amgpChgY2Xe7zkfhREEa3hYa0ShixL924P2dy4mTiBqhXFcKx8X5jm 43UkIf8E9r4EfQJZe3ZhTc2zNhEUtw5C1K4sJgFes8TW3Dmeb2prnstmTxSWqScV HTUmbKOplXHnIA77EicLN7CDIVRtjxe7UmOf43s8B+c6x+FBfF6SzifSQMZZZmiu YJ1d9Yp5bj5/TzQm8yC0TgpErUbntZ2X+B/pyx/Wjzj9cxC2ISecT0+ZihPUx5// NQa78Boqd+x2hIPQyoAcs21bjP74cjwtyACiRFbEZ6meXAw4IWXC8jg4JXSsTEWn 0VedBtKRtRc= =S86Q -----END PGP SIGNATURE-----