FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ikiwiki -- authentication bypass vulnerability

Affected packages
ikiwiki < 3.20170111

Details

VuXML ID 7b35a77a-0151-11e7-ae1b-002590263bf5
Discovery 2017-01-11
Entry 2017-03-05

ikiwiki reports:

The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact:

An attacker who can log in to a site with a password can log in as a different and potentially more privileged user.

An attacker who can create a new account can set arbitrary fields in the user database for that account

References

CVE Name CVE-2017-0356
URL https://ikiwiki.info/security/#index48h2