• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item6251: CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Normal | Closed | patch | 4.3.1, 5.0.0 |
Edit Form Data
Detail
-- TWiki:Main/PeterThoeny
- 17 Apr 2009
Modified files: - 19 Apr 2009
Modified test cases file for supporting POST method and disabling GET method.
-- TWiki:Main.SopanShewale - 19 Apr 2009
fixed the issue: Non-authenticated user while commenting prompted for authentication, after authentication the redirect used to pass GET method and comment used to fail.
-- TWiki:Main.SopanShewale - 26 Apr 2009
I installed TWiki 4.3.1, I reinstalled/updated EditTablePlugin, PreferencesPlugin, and WysiwygPlugin first via configure, and then at the command line.
When using TinyMCE and trying to use the paperclip icon to add an attachment I still get the error - 31 May 2009
TWiki-4.3.1 contains patched EditTablePlugin, PreferencesPlugin, and WysiwygPlugin, you do not need to re-install those plugins.
I just verified, the "REST upload requires http POST method" is a new bug introduced by this security fix. Tracked in Item6270.
-- TWiki:Main.PeterThoeny - 01 Jun 2009
Thanks Peter.
-- TWiki:Main.AJAlfieriCrispin - 01 Jun 2009
Well, this security fix has far reaching consequences for me. I have a web with 647 pages that all have multiple instances of forms that use the "save" script and do not have method="post" specified.
The forms are used to display a button to generate a sub-page from a template. These pages themselves were generated from a template (which has since been fixed to use POST).
My TWiki install is limited to company users only via LDAP Apache authentication even to view the first page. Is there a way for me to turn off the POST requirement? Or any other ideas other than figuring out the right RCS commands to checkout and checkin the pages (with a sed edit session in between)?
Thanks,
AJ
-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009
Once approach is to install the TWiki:Plugins/GlobalReplacePlugin and do a global search and replace. Watch out, regex search and replace can be dangerous, so take a backup and check the confirm page before committing the changes.
-- TWiki:Main.PeterThoeny - 03 Jun 2009
BTW, I like to use INCLUDES in template topics of TWiki apps to hide repetitive stuff (such as page headers and footers), which allows one to update content / application logic in one place.
-- TWiki:Main.PeterThoeny - 03 Jun 2009
Thanks, for the pointer on the Global Replace Plugin.
Agreed on the INCLUDES. In some of my templates, I even place empty INCLUDES just in case more standard information needs to be included.
However, sometimes what is being included needs to depend on parentage for the coding, and when I tried using INCLUDES for that, it was the INCLUDES parent that was traced. I've learned work-arounds, but this is some of my earliest TWiki programming I'm dealing with.
-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009
In the INCLUDEs, you can use BASETOPIC and INCLUDING topic instead of TOPIC. Same for WEB.
-- TWiki:Main.PeterThoeny - 08 Jun 2009
- 17 Apr 2009
Modified files: - data/TWiki/TWikiForms.txt
- data/TWiki/TWikiScripts.txt
- data/TWiki/TWikiTemplates.txt
- lib/TWiki.pm
- lib/TWiki/UI.pm
- lib/TWiki/UI/Manage.pm
- lib/TWiki/UI/Register.pm
- lib/TWiki/UI/Save.pm
- lib/TWiki/UI/Upload.pm
- templates/messages.tmpl
- templates/oopsmore.tmpl
- templates/registerconfirm.tmpl
- twikiplugins/EditTablePlugin/data/TWiki/EditTablePlugin.txt
- twikiplugins/EditTablePlugin/lib/TWiki/Plugins/EditTablePlugin.pm
- twikiplugins/EditTablePlugin/lib/TWiki/Plugins/EditTablePlugin/Core.pm
- twikiplugins/PreferencesPlugin/data/TWiki/PreferencesPlugin.txt
- twikiplugins/PreferencesPlugin/lib/TWiki/Plugins/PreferencesPlugin.pm
- twikiplugins/WysiwygPlugin/data/TWiki/WysiwygPlugin.txt
- twikiplugins/WysiwygPlugin/lib/TWiki/Plugins/WysiwygPlugin.pm
- 19 Apr 2009
Modified test cases file for supporting POST method and disabling GET method.
-- TWiki:Main.SopanShewale - 19 Apr 2009
fixed the issue: Non-authenticated user while commenting prompted for authentication, after authentication the redirect used to pass GET method and comment used to fail.
-- TWiki:Main.SopanShewale - 26 Apr 2009
I installed TWiki 4.3.1, I reinstalled/updated EditTablePlugin, PreferencesPlugin, and WysiwygPlugin first via configure, and then at the command line.
When using TinyMCE and trying to use the paperclip icon to add an attachment I still get the error REST upload requires http POST method
Do I need to update the PMs .tmpl files and others?
Thanks.
-- TWiki:Main.AJAlfieriCrispin - 31 May 2009
TWiki-4.3.1 contains patched EditTablePlugin, PreferencesPlugin, and WysiwygPlugin, you do not need to re-install those plugins.
I just verified, the "REST upload requires http POST method" is a new bug introduced by this security fix. Tracked in Item6270.
-- TWiki:Main.PeterThoeny - 01 Jun 2009
Thanks Peter.
-- TWiki:Main.AJAlfieriCrispin - 01 Jun 2009
Well, this security fix has far reaching consequences for me. I have a web with 647 pages that all have multiple instances of forms that use the "save" script and do not have method="post" specified.
The forms are used to display a button to generate a sub-page from a template. These pages themselves were generated from a template (which has since been fixed to use POST).
My TWiki install is limited to company users only via LDAP Apache authentication even to view the first page. Is there a way for me to turn off the POST requirement? Or any other ideas other than figuring out the right RCS commands to checkout and checkin the pages (with a sed edit session in between)?
Thanks,
AJ
-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009
Once approach is to install the TWiki:Plugins/GlobalReplacePlugin and do a global search and replace. Watch out, regex search and replace can be dangerous, so take a backup and check the confirm page before committing the changes.
-- TWiki:Main.PeterThoeny - 03 Jun 2009
BTW, I like to use INCLUDES in template topics of TWiki apps to hide repetitive stuff (such as page headers and footers), which allows one to update content / application logic in one place.
-- TWiki:Main.PeterThoeny - 03 Jun 2009
Thanks, for the pointer on the Global Replace Plugin.
Agreed on the INCLUDES. In some of my templates, I even place empty INCLUDES just in case more standard information needs to be included.
However, sometimes what is being included needs to depend on parentage for the coding, and when I tried using INCLUDES for that, it was the INCLUDES parent that was traced. I've learned work-arounds, but this is some of my earliest TWiki programming I'm dealing with.
-- TWiki:Main.AJAlfieriCrispin - 03 Jun 2009
In the INCLUDEs, you can use BASETOPIC and INCLUDING topic instead of TOPIC. Same for WEB.
-- TWiki:Main.PeterThoeny - 08 Jun 2009
| ItemTemplate | |
|---|---|
| Summary | CSRF vulnerability CVE-2009-1339: Possible to gain TWiki admin privileges with a specially crafted image tag |
| ReportedBy |
TWiki:Main.PeterThoeny
|
| Codebase | 4.3.0, ~twiki4 |
| SVN Range | TWiki-5.0.0, Thu, 09 Apr 2009, build 17970 |
| AppliesTo | Engine |
| Component | |
| Priority | Normal |
| CurrentState | Closed |
| WaitingFor | |
| Checkins |
TWikirev:17992 TWikirev:17993 TWikirev:17994 TWikirev:17995 TWikirev:17996 TWikirev:17997 TWikirev:17998 TWikirev:17999 TWikirev:18000 TWikirev:18001 TWikirev:18002 TWikirev:18006 TWikirev:18007 TWikirev:18008 TWikirev:18009 TWikirev:18010 TWikirev:18011 TWikirev:18012 TWikirev:18013 TWikirev:18014 TWikirev:18015 TWikirev:18016 TWikirev:18017 TWikirev:18018 TWikirev:18019 TWikirev:18020 TWikirev:18021 TWikirev:18022 TWikirev:18023 TWikirev:18024 TWikirev:18025 TWikirev:18026 TWikirev:18027 TWikirev:18028 TWikirev:18029 TWikirev:18030 TWikirev:18031 TWikirev:18032 TWikirev:18033 TWikirev:18040 TWikirev:18041
|
| TargetRelease | patch |
| ReleasedIn | 4.3.1, 5.0.0 |
Topic revision: r57 - 2009-06-08 - PeterThoeny
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback