• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6251: CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 4.3.1, 5.0.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

-- TWiki:Main/PeterThoeny - 17 Apr 2009

Modified files:

  • data/TWiki/TWikiForms.txt
  • data/TWiki/TWikiScripts.txt
  • data/TWiki/TWikiTemplates.txt
  • lib/TWiki.pm
  • lib/TWiki/UI.pm
  • lib/TWiki/UI/Manage.pm
  • lib/TWiki/UI/Register.pm
  • lib/TWiki/UI/Save.pm
  • lib/TWiki/UI/Upload.pm
  • templates/messages.tmpl
  • templates/oopsmore.tmpl
  • templates/registerconfirm.tmpl
  • twikiplugins/EditTablePlugin/data/TWiki/EditTablePlugin.txt
  • twikiplugins/EditTablePlugin/lib/TWiki/Plugins/EditTablePlugin.pm
  • twikiplugins/EditTablePlugin/lib/TWiki/Plugins/EditTablePlugin/Core.pm
  • twikiplugins/PreferencesPlugin/data/TWiki/PreferencesPlugin.txt
  • twikiplugins/PreferencesPlugin/lib/TWiki/Plugins/PreferencesPlugin.pm
  • twikiplugins/WysiwygPlugin/data/TWiki/WysiwygPlugin.txt
  • twikiplugins/WysiwygPlugin/lib/TWiki/Plugins/WysiwygPlugin.pm

-- TWiki:Main.PeterThoeny - 19 Apr 2009

Modified test cases file for supporting POST method and disabling GET method.

-- TWiki:Main.SopanShewale - 19 Apr 2009

fixed the issue: Non-authenticated user while commenting prompted for authentication, after authentication the redirect used to pass GET method and comment used to fail.

-- TWiki:Main.SopanShewale - 26 Apr 2009

I installed TWiki 4.3.1, I reinstalled/updated EditTablePlugin, PreferencesPlugin, and WysiwygPlugin first via configure, and then at the command line.

When using TinyMCE and trying to use the paperclip icon to add an attachment I still get the error REST upload requires http POST method

Do I need to update the PMs .tmpl files and others?

Thanks.

-- TWiki:Main.AJAlfieriCrispin - 31 May 2009

TWiki-4.3.1 contains patched EditTablePlugin, PreferencesPlugin, and WysiwygPlugin, you do not need to re-install those plugins.

I just verified, the "REST upload requires http POST method" is a new bug introduced by this security fix. Tracked in Item6270.

-- TWiki:Main.PeterThoeny - 01 Jun 2009

Thanks Peter.

-- TWiki:Main.AJAlfieriCrispin - 01 Jun 2009

Well, this security fix has far reaching consequences for me. I have a web with 647 pages that all have multiple instances of forms that use the "save" script and do not have method="post" specified.

The forms are used to display a button to generate a sub-page from a template. These pages themselves were generated from a template (which has since been fixed to use POST).

My TWiki install is limited to company users only via LDAP Apache authentication even to view the first page. Is there a way for me to turn off the POST requirement? Or any other ideas other than figuring out the right RCS commands to checkout and checkin the pages (with a sed edit session in between)?

Thanks, AJ

-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009

Once approach is to install the TWiki:Plugins/GlobalReplacePlugin and do a global search and replace. Watch out, regex search and replace can be dangerous, so take a backup and check the confirm page before committing the changes.

-- TWiki:Main.PeterThoeny - 03 Jun 2009

BTW, I like to use INCLUDES in template topics of TWiki apps to hide repetitive stuff (such as page headers and footers), which allows one to update content / application logic in one place.

-- TWiki:Main.PeterThoeny - 03 Jun 2009

Thanks, for the pointer on the Global Replace Plugin.

Agreed on the INCLUDES. In some of my templates, I even place empty INCLUDES just in case more standard information needs to be included.

However, sometimes what is being included needs to depend on parentage for the coding, and when I tried using INCLUDES for that, it was the INCLUDES parent that was traced. I've learned work-arounds, but this is some of my earliest TWiki programming I'm dealing with.

-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009

In the INCLUDEs, you can use BASETOPIC and INCLUDING topic instead of TOPIC. Same for WEB.

-- TWiki:Main.PeterThoeny - 08 Jun 2009

Edit | Attach | Watch | Print version | History: r57 < r56 < r55 < r54 < r53 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r57 - 2009-06-08 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback