====================================================================

                                  CERT-Renater

                     Note d'Information No. 2017/VULN009
_____________________________________________________________________

DATE                : 16/01/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ikiwiki versions prior to
                                     3.20141016.4.

=====================================================================
https://ikiwiki.info/security/#cve-2017-0356
____________________________________________________________________

Authentication bypass via repeated parameters

The ikiwiki maintainers discovered further flaws similar to
CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder,
with a more serious impact:

     An attacker who can log in to a site with a password can log in as
a different and potentially more privileged user.
     An attacker who can create a new account can set arbitrary fields
in the user database for that account.

This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8
in version 3.20141016.4.

(CVE-2017-0356/OVE-20170111-0001)

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================