oss-sec mailing list archives
ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters
From: Simon McVittie <smcv () debian org>
Date: Thu, 12 Jan 2017 00:51:53 +0000
Reference: https://ikiwiki.info/security/#cve-2017-0356 Affected versions: >= 2.11 Fixed versions: >= 3.20170111 Fixed versions (3.20141016.x branch): >= 3.20141016.4 ikiwiki is a static site generator with some dynamic features, used for wikis, blogs and other websites. The ikiwiki maintainers discovered two related flaws in the passwordauth plugin's use of CGI::FormBuilder, involving API design issues similar to those that led to CVE-2014-1572. Impact: * An attacker who can log in to a site with a password can log in as a different and potentially more privileged user. * An attacker who can create a new account can set arbitrary fields in the user database for that account. Sites that enable the CGI script (cgi_wrapper) and do not disable the simple password authentication plugin (passwordauth, enabled by default) are affected. For current releases, this is fixed in ikiwiki >= 3.20170111. For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4. Regards, S
Current thread:
- ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters Simon McVittie (Jan 11)