FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
21ce1840-6107-11e4-9e84-0022156e8794twiki -- remote Perl code execution

TWiki developers report:

The debugenableplugins request parameter allows arbitrary Perl code execution.

Using an HTTP GET request towards a TWiki server, add a specially crafted debugenableplugins request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

Example: http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".


Discovery 2014-10-09
Entry 2014-10-31
twiki
< 5.1.4_1,1

CVE-2014-7236
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236
a876df84-0fef-11db-ac96-000c6ec775d9twiki -- multiple file extensions file upload vulnerability

A TWiki Security Alert reports:

The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.

This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this.


Discovery 2006-07-05
Entry 2006-07-10
twiki
< 4.0.4,1

18854
CVE-2006-3336
http://secunia.com/advisories/20992/
http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads
f98dea27-d687-11dd-abd1-0050568452actwiki -- multiple vulnerabilities

Marc Schoenefeld and Steve Milner of RedHat SRT and Peter Allor of IBM ISS report:

XSS vulnerability with URLPARAM variable

SEARCH variable allows arbitrary shell command execution


Discovery 2008-12-05
Entry 2008-12-30
twiki
< 4.2.4,1

32668
32669
CVE-2008-5304
CVE-2008-5305
http://secunia.com/advisories/33040
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305
http://www.securitytracker.com/alerts/2008/Dec/1021351.html
http://www.securitytracker.com/alerts/2008/Dec/1021352.html
https://www.it-isac.org/postings/cyber/alertdetail.php?id=4513
http://xforce.iss.net/xforce/xfdb/45293