TWiki

Sweeet TWiki - my favorite web-based wiki

Pointers

• http://www.twiki.org/
• WikiWiki
• UnixGeekTools - other great tools for unix geeks

Upgrades

• http://twiki.org/cgi-bin/view/TWiki/TWikiUpgradeGuide

Includes

   %INCLUDE{http://www.geekfarm.org/wu/muse/WebHome.html}%

mod_perl

Twiki under mod_perl, PerlRun appears to be sweeeet. I got it running on laptop with the following (enable modules, blah, blah) primitive block in httpd.conf and its MUCH faster:

      PerlModule Apache::PerlRun
      <Location /cgi-bin>
          SetHandler perl-script
          PerlHandler Apache::PerlRun
          Options ExecCGI
          PerlSendHeader On
          allow from all
      </Location>

I also added in the following block to the .htaccess

• http://twiki.org/cgi-bin/view/Codev/ModPerl

    <Files *>
      SetHandler perl-script
      PerlHandler Apache::Registry
      Options ExecCGI
      PerlSendHeader On
    </Files>

Not clear on whether it's needed too. It looks like people on the twiki twiki think mod_perl + twiki == r000xx004

Security Mailing List

• http://lists.sourceforge.net/lists/listinfo/twiki-announce
• twiki@geekfarm.org

Security Holes

Tue Dec 7, 2004 12:29 pm

The TWiki search function uses a user supplied search string to compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell commands.

An example search string would be: "test_vulnerability '; ls -la'"

If access to TWiki is not restricted by other means, attackers can use the search function without prior authentication.

• http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
• http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports