4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.3%
TWiki fails to protect the CGI session directory, which may allow an attacker to execute arbitrary code with the privileges of the web server.
TWiki is a web-based collaborative publishing environment. TWiki creates CGI session files in the global /tmp
directory, which is generally world readable and writable. By creating CGI session files in this directory, an attacker may be able to execute arbitrary code.
An attacker with the ability to create files in the CGI session directory (usually /tmp
) may be able to execute arbitrary code with the privileges of the web server.
Apply an update
This issue is addressed in TWikiRelease04x01x01, as specified in TWiki SecurityAlert-CVE-2007-0669.
Workarounds
TWiki SecurityAlert-CVE-2007-0669 suggests several workarounds, including:
* ` Restrict access to the TWiki server on file level and HTTP.`
* ` If on a shared host, move TWiki to a dedicated host.`
* ` Upgrade to TWikiRelease04x01x01 -- TWiki-4.1.1.zip (recommended)`
* ` Apply a hotfix indicated below. `
584436
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 08, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see TWiki SecurityAlert-CVE-2007-0669.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23584436 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Peter Thoeny for reporting this vulnerability.
This document was written by Will Dormann.
CVE IDs: | CVE-2007-0669 |
---|---|
Severity Metric: | 5.91 Date Public: |