Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Jan 2017 00:51:53 +0000
From: Simon McVittie <>
Subject: ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters

Affected versions: >= 2.11
Fixed versions: >= 3.20170111
Fixed versions (3.20141016.x branch): >= 3.20141016.4

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

The ikiwiki maintainers discovered two related flaws in the
passwordauth plugin's use of CGI::FormBuilder, involving API design
issues similar to those that led to CVE-2014-1572. Impact:

* An attacker who can log in to a site with a password can log in
  as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
  in the user database for that account.

Sites that enable the CGI script (cgi_wrapper) and do not disable the
simple password authentication plugin (passwordauth, enabled by default)
are affected.

For current releases, this is fixed in ikiwiki >= 3.20170111.
For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.