Date: Thu, 12 Jan 2017 00:51:53 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters Reference: https://ikiwiki.info/security/#cve-2017-0356 Affected versions: >= 2.11 Fixed versions: >= 3.20170111 Fixed versions (3.20141016.x branch): >= 3.20141016.4 ikiwiki is a static site generator with some dynamic features, used for wikis, blogs and other websites. The ikiwiki maintainers discovered two related flaws in the passwordauth plugin's use of CGI::FormBuilder, involving API design issues similar to those that led to CVE-2014-1572. Impact: * An attacker who can log in to a site with a password can log in as a different and potentially more privileged user. * An attacker who can create a new account can set arbitrary fields in the user database for that account. Sites that enable the CGI script (cgi_wrapper) and do not disable the simple password authentication plugin (passwordauth, enabled by default) are affected. For current releases, this is fixed in ikiwiki >= 3.20170111. For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4. Regards, S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.