twiki 4.0.x 安全漏洞警告:服务端任意文件读取

9月6日收到了twiki开发邮件列表的安全警报:twiki 4.0.x中发现了服务器端文件读取安全漏洞。黑客有可能通过这样的链接查看后台系统上的文件:;filename=../../../../../etc/passwd

请尽快升级twiki 4.0.x 的系统:
--- (revision 11339)
+++ (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};

my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;

my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );


Dear TWiki administrator,

This advisory alerts you of a potential security issue
with your TWiki installation: Unauthorized user may view
arbitrary files of the server file system with the
viewfile script.

NOTE: Please do not publicly announce until 2006-09-07,
but please feel free to forward this message to fellow
TWiki administrators.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links

---++ Vulnerable Software Version

* TWikiRelease04x00x04 --
* TWikiRelease04x00x03 --
* TWikiRelease04x00x02 --
* TWikiRelease04x00x01 --
* TWikiRelease04x00x00 --

---++ Attack Vectors

Supply a specially crafted HTTP POST request on the TWiki
viewfile script.

---++ Impact

An intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.

---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.

---++ Details

All TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the

---++ Countermeasures

* Restrict access to the TWiki installation.
* Apply the hotfix indicated below.

NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix

---++ Hotfix

The accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the module, fixing the known
vulnerability. Hotfix 3 will be available at in
a few days.

If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/

--- (revision 11339)
+++ (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};

my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;

my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );

---++ Authors and Credits

* Credit to TWiki:Main.BenWheeler and
TWiki:Main.KoenMartens for disclosing the issue to
the twiki-security mailing list
* TWiki:Main.CrawfordCurrie for creating a fix
* TWiki:Main.KennethLavrsen for creating Hotfix 3 for
TWiki release 4.0.4
* TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
for creating the advisory

---++ Action Plan with Timeline

* 2006-08-20 and 08-28: User discloses vulnerability to
* 2006-08-22: Developer verifies issue
* 2006-08-22: Developer creates fix
* 2006-08-31: Security team creates advisory
* 2006-09-05: Send alert to twiki-announce mailing list
and twiki-dev mailing list
* 2006-09-06: Developer creates Hotfix 3 (pending)
* 2006-09-07: Publish advisory on (pending)
* 2006-09-07: Issue a public security advisory (pending)

---++ Feedback

Please provide feedback at the security alert topic [1],

---++ External Links


-- __Contributors:__ PeterThoeny, CrawfordCurrie,
KennethLavrsen - 31 Aug 2006

作者:车东 发表于:2006-09-08 10:09 最后更新于:2007-04-22 21:04
版权声明:可以转载,转载时请务必以超链接形式标明文章 的原始出处和作者信息及本版权声明


知道你是lucene的牛人.我是lucene的新手,正在一步步学习进行。我是在windows XP环境下进行的。今天在实验着体会demo环境.作到这里出了问题:
vi configuration.jsp <--将indexLocation 的值改为 "$TOMCATHOME/webapps/lucenedb";
jar -ur luceneweb.war luceneweb 首先提示没有r这个参数。我去掉r,加了个v,运行很长时间也没有反应。后来把"$TOMCAT_HOME/webapps/lucenedb" 修改为"c:\fullpath-of-tomcat\webapps\lucenedb",去jar的时候还是出不来,请问这是什么回事,谢谢!


(如果你此前从未在此 Blog 上发表过评论,则你的评论必须在 Blog 主人验证后才能显示,请你耐心等候。)



此页面包含了发表于2006年09月08日 上午10时13分的 Blog 上的单篇日记。

此 Blog 的前一篇日记是 [MT] 3.32升级备忘

此 Blog 的后一篇日记是 给AWStats增加针对Googlebot/Baiduspider/Yahoo!Slurp/MSNBot的详细统计

更多信息可在 主索引 页和 归档 页看到。

Creative Commons License
此 Blog 中的日记遵循以下授权 Creative Commons(创作共用)授权.
Powered by
Movable Type 3.36