[Japanese]

JVNDB-2007-000476

Hiki arbitrary file deletion vulnerability

Overview

Hiki, a Wiki clone software developed by Hiki Development Team, contains a vulnerability that allows a remote attacker to delete arbitrary files.

Hiki contains a vulnerability that allows an arbitrary file to be deleted on a server running Hiki. This is caused by the improper handling of a session management file.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Hiki Development Team
  • Hiki 0.8.0 - 0.8.6

Impact

A remote attacker may be able to delete arbitrary files with the privilege of the user running Hiki.
Solution

[Upgrade the software]

The developer has released Hiki 0.8.7 which contains the fix for this vulnerability. We recommend that affected users upgrade their software to the fixed version.
Vendor Information

Hiki Development Team
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-2836
References

  1. JVN : JVN#05187780
  2. National Vulnerability Database (NVD) : CVE-2007-2836
  3. Secunia Advisory : SA25764
  4. SecurityFocus : 24603
  5. FrSIRT Advisories : FrSIRT/ADV-2007-2304
Revision History

[2008/05/21]
  Web page published

Date Public2007/06/25
Date First Published2008/05/21
Date Last Updated2008/05/21