Info

Disclosure

Jun 17, 2006

Discovery

Unknown

Dates

Exploit

Jun 17, 2006

Solution

Unknown

Description

TWiki contains a flaw that may allow a malicious user to gain administrator privileges. The issue is caused due to an error in the registration process that can be exploited by changing the action attribute of the form element to the Sandbox web. It is possible that the flaw may allow a user to gain privileges of another user resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, TWiki has released a patch to address this vulnerability.

Products

TWiky	TWiky	4.0.0
		4.0.1
		4.0.2

References

Security Tracker: 1016323
CVE ID: 2006-2942 (see also: NVD)
Secunia Advisory ID: 20596
Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2006-q2/0032.html
Vendor Specific Advisory URL: http://twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4PrivilegeElevation
Other Advisory URL: http://www.secuobs.com/secumail/snsecumail/msg01217.shtml

Credit

Harald Joerg - Twiky

Direct URL: http://osvdb.org/26623

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

TWiky

TWiky

References

Credit