Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260316022732.GA13154@openwall.com>
Date: Mon, 16 Mar 2026 03:27:32 +0100
From: Solar Designer <solar@...nwall.com>
To: Michael Daum <foswiki@...haeldaumconsulting.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Foswi­ki 2.1.11 is re­leased, fixes CVE-2026-2861

Hello Michael,

Thank you for bringing this to oss-security.

On Sun, Mar 15, 2026 at 03:06:24PM +0100, Michael Daum wrote:
> Foswi­ki 2.1.11 is avail­able to down­loaded now. This re­lease came ear­li­er than ex­pect­ed due to the se­vere se­cu­ri­ty is­sues found in pre­vi­ous ver­sions, as de­tailed in CVE-2026-2861.
> Read more at https://foswiki.org/Blog/Foswiki2111IsReleased and https://foswiki.org/System/ReleaseNotes02x01#Foswiki_Release_2.1.11_Details
> 
> Donwload from https://foswiki.org/Download/FoswikiRelease02x01x11

We require actual detail in here, not just "read more at", and the above
web pages don't tell much about the CVE.  There's some actual detail in:

https://foswiki.org/Support/SecurityAlertCVE20262861

which I'll partially quote below:

> Security Alert: Information disclosure vulnerability in viewfile, oops, preview and changes endpoints
> 15 March 2026 - 14:30 | Version 4 | Michael Daum
> 
> An anonymous user can craft an HTTP url to oops, preview, changes and viewfile endpoint to disclose access protected information.

> Attack Vectors
> 
> An anonymous user can craft an HTTP url to the oops, changes or preview endpoint and disclose protected information. For example https://mysite.com/bin/oops/Web/SecretTopicWithFormData?template=view will disclose any data stored a the given page. Given a topic without view rights an unauthorized user can test for the existence of attachments using viewfile. The endpoint's order of checking acccess rights and checking file existence is performend in the wrong order.
> 
> Impact
> 
> Information disclosure of private data.
> 
> Details
> 
> The changes script does not check access view rights on the topic it was loaded on. This is a security problem for any template loading additional data at this point. This endpoint has been deprecated for a long time and does not serve any particular purpose anymore.
> 
> The viewfile's order of checking acccess rights and checking file existence is performend in the wrong order. It foremost needs to check access and only then do anything else.
> 
> The oops endpoint accepts an arbitrary template url parameter such as template=view and thus functions as a normal view endpoint, however without performing any access control checks. Similarly preview can be exploited.
> 
> Countermeasures
> 
> To minimize the attack surface endpoints changes, preview and search are removed from the switch board configuration. See hotfix in Item15600: changes and preview scripts do not check view access rights, Item15601: viewfile can be used to test for existing files even without view rights on the topic and Item15602: oops script can be used to display data even without view access rights.
> 
> Upgrade to the latest patched production Foswiki Release 2.1.11 is highly encourage.
> 
> Authors and Credits
> 
> Found by: Jan Seebens (Deutsche Telekom Technik GmbH) and Michael Daum Consulting
> 
> Action Plan with Timeline
> 
>     2026-01-12 - Disclosure of issue to foswiki security mailing list
>     2026-01-12 - Developer verifies issue
>     2026-01-12 - Hotfix foswiki.org website
>     2026-01-17 - Developer fixes code
>     2026-02-20 - Security team creates advisory with hotfix
> 
>     2026-02-?? - Release Manager builds patch release
>     2026-02-?? - Send alert to foswiki-announce and foswiki-discuss mailing lists
>     2026-02-?? - Publish advisory in Support web and update all related topics
>     2026-02-?? - Reference to public advisory on Download page and Known Issues
>     2026-02-?? - Issue a public security advisory (vuln@...unia.com, cert@...t.org, bugs@...uritytracker.com bugtraq@...urityfocus.com full-disclosure@...ts.grok.org.uk), https://openwall.com/lists/oss-security (name)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.