CVE-2006-2942

Name of the Vulnerable Software and Affected Versions TWiki versions 4.0.0 through 4.0.2

Description The issue allows remote attackers to gain administrator privileges by modifying the action attribute in the TWiki.TWikiRegistration form to reference the Sandbox web instead of the user web. This can be used to associate a user's login name with the WikiName of a member of the TWikiAdminGroup.

Recommendations For TWiki versions 4.0.0 through 4.0.2, consider restricting access to the TWiki.TWikiRegistration form until a fix is available. As a temporary workaround, restrict the ability to modify the action attribute in this form to prevent unauthorized access to administrator privileges.