TWiki Remote Denial Of Service Vulnerability
BID:17267
Info
TWiki Remote Denial Of Service Vulnerability
| Bugtraq ID: | 17267 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 27 2006 12:00AM |
| Updated: | Mar 28 2006 05:58PM |
| Credit: | Kenneth Lavrsen, Sergej Zagursky and Steffen Poulsen are credited with the discovery of this vulnerability. |
| Vulnerable: |
TWiki TWiki 4.0.1 TWiki TWiki 20040903 TWiki TWiki 20040902 TWiki TWiki 20040901 TWiki TWiki 01-Sep-2001 TWiki TWiki 01-Feb-2003 TWiki TWiki 01-Dec-2001 TWiki TWiki 0 |
| Not Vulnerable: | |
Discussion
TWiki Remote Denial Of Service Vulnerability
TWiki is prone to a remote denial-of-service vulnerability. This issue is due to a design error.
An attacker may exploit this vulnerability to deny service to legitimate users.
TWiki is prone to a remote denial-of-service vulnerability. This issue is due to a design error.
An attacker may exploit this vulnerability to deny service to legitimate users.
Exploit / POC
TWiki Remote Denial Of Service Vulnerability
This issue can be exploited through use of a web client.
This issue can be exploited through use of a web client.
Solution / Fix
TWiki Remote Denial Of Service Vulnerability
Solution:
The vendor has suggested the following hotfix; Symantec has not tested the validity of this information. Contact the vendor for more information.
In the file 'twiki/lib/TWiki.pm', find 'sub _includeUrl', add a return at the very beginning as indicated in red below:
# Fetch content from a URL for inclusion by an INCLUDE
sub _includeUrl {
my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_;
# Fix for Codev.SecurityAdvisoryDosAttackWithInclude
return "%RED% Include of URL is disabled %ENDCOLOR%";
my $text = '';
my $host = '';
my $port = 80;
my $path = '';
my $user = '';
my $pass = '';
Solution:
The vendor has suggested the following hotfix; Symantec has not tested the validity of this information. Contact the vendor for more information.
In the file 'twiki/lib/TWiki.pm', find 'sub _includeUrl', add a return at the very beginning as indicated in red below:
# Fetch content from a URL for inclusion by an INCLUDE
sub _includeUrl {
my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_;
# Fix for Codev.SecurityAdvisoryDosAttackWithInclude
return "%RED% Include of URL is disabled %ENDCOLOR%";
my $text = '';
my $host = '';
my $port = 80;
my $path = '';
my $user = '';
my $pass = '';
References
TWiki Remote Denial Of Service Vulnerability
References:
References:
- Hotfix 2 for TWiki 4.0.4 (TWiki)
- TWiki Homepage (TWiki)