Date: Thu, 12 Jan 2017 00:51:53 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters Reference: https://ikiwiki.info/security/#cve-2017-0356 Affected versions: >= 2.11 Fixed versions: >= 3.20170111 Fixed versions (3.20141016.x branch): >= 3.20141016.4 ikiwiki is a static site generator with some dynamic features, used for wikis, blogs and other websites. The ikiwiki maintainers discovered two related flaws in the passwordauth plugin's use of CGI::FormBuilder, involving API design issues similar to those that led to CVE-2014-1572. Impact: * An attacker who can log in to a site with a password can log in as a different and potentially more privileged user. * An attacker who can create a new account can set arbitrary fields in the user database for that account. Sites that enable the CGI script (cgi_wrapper) and do not disable the simple password authentication plugin (passwordauth, enabled by default) are affected. For current releases, this is fixed in ikiwiki >= 3.20170111. For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4. Regards, S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ