[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters
From:       Simon McVittie <smcv () debian ! org>
Date:       2017-01-12 0:51:53
Message-ID: 20170112005153.hxfvrwwyywq2szvq () perpetual ! pseudorandom ! co ! uk
[Download RAW message or body]

Reference: https://ikiwiki.info/security/#cve-2017-0356
Affected versions: >= 2.11
Fixed versions: >= 3.20170111
Fixed versions (3.20141016.x branch): >= 3.20141016.4

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

The ikiwiki maintainers discovered two related flaws in the
passwordauth plugin's use of CGI::FormBuilder, involving API design
issues similar to those that led to CVE-2014-1572. Impact:

* An attacker who can log in to a site with a password can log in
  as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
  in the user database for that account.

Sites that enable the CGI script (cgi_wrapper) and do not disable the
simple password authentication plugin (passwordauth, enabled by default)
are affected.

For current releases, this is fixed in ikiwiki >= 3.20170111.
For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4.

Regards,
    S
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic