Debian Security Advisory

DSA-1639-1 twiki -- command execution

Date Reported:
19 Sep 2008
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 499534.
In Mitre's CVE dictionary: CVE-2008-3195.
More information:

It was discovered that twiki, a web based collaboration platform, didn't properly sanitize the image parameter in its configuration script. This could allow remote users to execute arbitrary commands upon the system, or read any files which were readable by the webserver user.

For the stable distribution (etch), this problem has been fixed in version 1:4.0.5-9.1etch1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your twiki package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.