TWiki Failed Login Information Disclosure Vulnerability

Bugtraq ID:	21381
Class:	Input Validation Error
CVE:	CVE-2006-6071
Remote:	Yes
Local:	No
Published:	Dec 01 2006 12:00AM
Updated:	Dec 01 2006 09:10PM
Credit:	George Clark is credited with the discovery of this vulnerability.
Vulnerable:	TWiki TWiki with SessionPlugin 04-Sep-2004 TWiki TWiki with SessionPlugin 03-Sep-2004 TWiki TWiki with SessionPlugin 02-Sep-2004 TWiki TWiki with SessionPlugin 01-Sep-2004 TWiki TWiki 4.0.5 TWiki TWiki 4.0.4 TWiki TWiki 4.0.3 TWiki TWiki 4.0.2 TWiki TWiki 4.0.1 TWiki TWiki 0
Not Vulnerable:

TWiki Failed Login Information Disclosure Vulnerability

TWiki is prone to an information-disclosure vulnerability because it fails to authenticate users before providing access to sensitive information.

Exploiting this issue could allow an attacker to retrieve sensitive information, including wiki content that is in access-restricted topics.

Note that the following are required to exploit this vulnerability:

- The Apache 1.3 webserver is running
- The Apache 'ErrorDocument 401' configuration setting is set to a TWiki topic
- ApacheLogin with TWiki-4.0 is used with sessions enabled (or SessionPlugin for older versions)

TWiki Failed Login Information Disclosure Vulnerability

An attacker can exploit this issue via a web client.

TWiki Failed Login Information Disclosure Vulnerability

Solution:
The vendor has released a hotfix; please see the referenced vendor advisory for details.

TWiki Failed Login Information Disclosure Vulnerability

References:

• TWiki Homepage (TWiki)
  
• TWiki Vendor Advisory - SecurityAlert-CVE-2006-6071 (TWiki)