Bug 1016606 - (CVE-2016-10026) VUL-0: CVE-2016-10026: ikiwiki: authorization bypass when reverting changes
VUL-0: CVE-2016-10026: ikiwiki: authorization bypass when reverting changes
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Milan Vančura
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2016-12-20 22:13 UTC by Mikhail Kasimov
Modified: 2017-01-12 08:18 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-20 22:13:30 UTC
Ref: http://seclists.org/oss-sec/2016/q4/717
Reference: http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed/
Vulnerable versions: < 3.20161219
Fixed versions: >= 3.20161219
Fix: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=9cada49ed6ad24556dbe9861ad5b0a9f526167f9

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

intrigeri discovered that on sites with the git and recentchanges
plugins and the CGI interface enabled, the revert links on the
RecentChanges page could revert changes on a page the logged-in user
cannot legitimately edit, if the change being reverted was made before
the page was renamed from a location that the logged-in user *could*
legitimately edit.

Please allocate a CVE ID for this vulnerability.


Don't know about this report, because, due to https://software.opensuse.org/package/ikiwiki , this package is not in official (open-)SUSE repos...
Comment 1 Swamp Workflow Management 2016-12-20 23:04:56 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-21 07:44:19 UTC
we are not shipping it, it might just be deployed in some places.
Comment 3 Leonardo Chiquitto 2016-12-21 18:31:48 UTC
Our internal Ikiwiki instance is maintained by the L3 Team.
Comment 4 Andreas Stieger 2017-01-12 08:18:09 UTC
Not in the distribution, closing.