This question about Upgrading from TWiki to Foswiki: Answered

Are security alerts 3195, 5304, 5305 addressed in fw 1.0.0??

I had upgraded to TWiki-4.2.4 due to hacker intrusion, likely due to recent security alerts. Then, I ported to foswiki 1.0.0.

DOES Foswiki 1.0.0 cover these security vulnerabilities?

Security Alert: TWiki SEARCH variable allows arbitrary shell command execution
- Fix available in SecurityAlert-CVE-2008-5305, fixed in TWiki 4.2.4
Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable
- Fix available in SecurityAlert-CVE-2008-5304, fixed in TWiki 4.2.4
Security Alert: Arbitrary Code Execution in Configure Script
- Fix available in SecurityAlert-CVE-2008-3195, fixed in TWiki 4.2.3

Hacker is still penetrating the install.

--Raymond

yes, Foswiki 1.0.0 covers these, and implemented them more thoroughly than T(m)Wiki. One of our changes is what Peter ported into 4.3 recently, because the change made for the CVE was leaky.

you might like to send more info to Foswiki-security@lists.sourceforge.net so we can try to help work out the new vector :/

-- SvenDowideit - 11 Mar 2009

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement.