righto,
I've uploaded a new version to
http://distributedinformation.com/TWikiDebian/ (twiki_4.1.2-3_all.deb)
* secure /var/www/twiki/pub/_work_areas (Closes: #444982)
CVE-2007-5193
* session files in /tmp/twiki, and add O_EXCL to files that go there
* updated Vietnamese translation (Closes: #426850)
* don't modify files that are not installed (Closes: #444498)
I've implemented Joey's suggestion of 1777 & O_EXCL - mostly the files in tmp
are written by CGI::Session, that takes care of things.
I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to
filling /var
and fixed a few other bitzers
I've reported the issue upstream so we can look at doing a more lasting change
for the next release.
Sven
On Fri, 2007-10-26 at 16:57 +1000, Sven Dowideit wrote:
> ok, I'll implement this on the w/e, and push it into the upcoming 4.2
> release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
>
> Sven
>
> On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote:
> > Sven Dowideit wrote:
> > > neat summary Joey :)
> > >
> > > The reason that I made it world writeable, is that twiki cgi's can be
> > > run from the command line by anyone, and in doing so, create a session
> > > file.
> > >
> > > This is used by cronjobs, and so that users can script additions to
> > > topics etc.
> >
> > Makeing the temporary directory mode 1777 would not prevent that, but
> > would prevent users from deleting and replacing twiki temp files.
> >
> > That and making the opens use O_EXCL, would cover the security issues I
> > mentioned.
> >
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
