Vulnerabilities > CVE-2006-6071 - Information Disclosure vulnerability in TWiki Failed Login

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
twiki
critical

Summary

TWiki 4.0.5 and earlier, when running under Apache 1.3 using ApacheLogin with sessions and "ErrorDocument 401" redirects to a valid wiki topic, does not properly handle failed login attempts, which allows remote attackers to read arbitrary content by cancelling out of a failed authentication with a valid username and invalid password.

Vulnerable Configurations

Part Description Count
Application
Twiki
3

Seebug

bulletinFamilyexploit
descriptionTWiki是一款流行的基于WEB的百科全书程序。 TWiki处理失败登录存在问题,远程攻击者可以利用漏洞访问受限制的标题。 当站点设置为如下: 1,如果ErrorDocument 401设置指向TWikiRegistration标题(或者任意TWiki标题)并且 2,使用TWiki-4.0的ApacheLogin和会话起用,或者使用SessionPlugin的早期TWiki版本,并且 3,运行了Apache 1.3。 那么可使用如下方法进行测试: 1,在左边栏点'Login'连接 2,输入合法用户名,但错误的密码 3,点"ok" 4,如果Apache重提示,再输入相同用户名和密码 5,点"cancel" 如果站点有问题就会重定向到合法用户的TWikiRegistration标题。 0 TWiki TWiki with SessionPlugin 04-Sep-2004 TWiki TWiki with SessionPlugin 03-Sep-2004 TWiki TWiki with SessionPlugin 02-Sep-2004 TWiki TWiki with SessionPlugin 01-Sep-2004 TWiki TWiki 04x00x03 0 TWiki TWiki 04x00x05 TWiki TWiki 04x00x04 TWiki TWiki 04x00x02 TWiki TWiki 04x00x01 TWiki TWiki 04x00x00 参考如下连接获得补丁信息: <a href="http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-6071" target="_blank">http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-6071</a>
idSSV:665
last seen2017-11-19
modified2006-12-05
published2006-12-05
reporterRoot
titleTWiki失败登录信息泄露漏洞