FreeBSD : ikiwiki -- multiple vulnerabilities (5ed094a0-0150-11e7-ae1b-002590263bf5)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Mitre reports :

ikiwiki 3.20161219 does not properly check if a revision changes the
access permissions for a page on sites with the git and recentchanges
plugins and the CGI interface enabled, which allows remote attackers
to revert certain changes by leveraging permissions to change the page
before the revision was made.

When CGI::FormBuilder->field('foo') is called in list context (and in
particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the usual
Perl parsing convention for named arguments, similar to CVE-2014-1572
in Bugzilla (which was caused by a similar API design issue in
CGI.pm).

See also :

https://ikiwiki.info/security/#index46h2
https://ikiwiki.info/security/#index47h2
http://www.nessus.org/u?422c31fd

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 97544 ()

Bugtraq ID:

CVE ID: CVE-2016-10026
CVE-2016-9645
CVE-2016-9646

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now