• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

TWiki Remote Information Disclosure Vulnerability

Solution:

The vendor has released a hotfix. Symantec has not tested the integrity or effectiveness of the hotfix.

Hotfix for rdiff script:

In file twiki/lib/TWiki/UI/RDiff.pm, find sub diff. 10 lines lower in the file you will find the following line:

TWiki::UI::checkTopicExists( $session, $webName, $topic, 'diff' );

Add the following line immediately after it:

TWiki::UI::checkAccess( $session, $webName, $topic, 'view', $session->{user} );

CVE-2006-1386_UI_RDiff_pm.diff: Patch for twiki/lib/TWiki/UI/RDiff.pm, TWiki 4.0.1 (See HowToApplyPatch)

Hotfix for preview script:

In file twiki/lib/TWiki/UI/Save.pm find the following lines:

if( $topicExists ) {
( $prevMeta, $prevText ) =
$store->readTopic( undef, $webName, $topic, undef );
if( $prevMeta ) {
foreach my $k ( keys %$prevMeta ) {

Change the call to 'readTopic' to:

$store->readTopic( $user, $webName, $topic, undef );