[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters
From: Simon McVittie <smcv () debian ! org>
Date: 2017-01-12 0:51:53
Message-ID: 20170112005153.hxfvrwwyywq2szvq () perpetual ! pseudorandom ! co ! uk
[Download RAW message or body]
Reference: https://ikiwiki.info/security/#cve-2017-0356
Affected versions: >= 2.11
Fixed versions: >= 3.20170111
Fixed versions (3.20141016.x branch): >= 3.20141016.4
ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.
The ikiwiki maintainers discovered two related flaws in the
passwordauth plugin's use of CGI::FormBuilder, involving API design
issues similar to those that led to CVE-2014-1572. Impact:
* An attacker who can log in to a site with a password can log in
as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
in the user database for that account.
Sites that enable the CGI script (cgi_wrapper) and do not disable the
simple password authentication plugin (passwordauth, enabled by default)
are affected.
For current releases, this is fixed in ikiwiki >= 3.20170111.
For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4.
Regards,
S
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic