Package: twiki
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-1387: "TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows
remote authenticated users with edit rights to cause a denial of service
(infinite recursion leading to CPU and memory consumption) via INCLUDE
by URL statements that form a loop, such as a page that includes
itself."
TWiki has released an advisory [1] about this issue. The attached patch
implements the recommended hotfix by disabling the INCLUDE directive.
Please mention the CVE number in your changelog.
[1] http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbPVoAud/2YgchcQRAo1GAKDqMMBlHNw1XSbqGVYKltk3u3Y0DQCg4x0J
NOk1flpjJOOY93b9DAXvv+U=
=uBTE
-----END PGP SIGNATURE-----
--- lib/TWiki.pm.orig 2006-05-18 23:07:09.000000000 +0100
+++ lib/TWiki.pm 2006-05-18 23:11:46.000000000 +0100
@@ -1921,6 +1921,9 @@
my $user = "";
my $pass = "";
+ # CVE-2006-1387
+ return "%RED% Include of URL is disabled %ENDCOLOR%";
+
# For speed, read file directly if URL matches an attachment directory
if( $theUrl =~ /^$urlHost$pubUrlPath\/([^\/\.]+)\/([^\/\.]+)\/([^\/]+)$/ )
{
my $web = $1;
