Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Jan 2017 00:51:53 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters

Reference: https://ikiwiki.info/security/#cve-2017-0356
Affected versions: >= 2.11
Fixed versions: >= 3.20170111
Fixed versions (3.20141016.x branch): >= 3.20141016.4

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

The ikiwiki maintainers discovered two related flaws in the
passwordauth plugin's use of CGI::FormBuilder, involving API design
issues similar to those that led to CVE-2014-1572. Impact:

* An attacker who can log in to a site with a password can log in
  as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
  in the user database for that account.

Sites that enable the CGI script (cgi_wrapper) and do not disable the
simple password authentication plugin (passwordauth, enabled by default)
are affected.

For current releases, this is fixed in ikiwiki >= 3.20170111.
For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4.

Regards,
    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ