Create  Edit  Diff  FrontPage  Index  Search  Changes  History  Source  Site Map  Login

Hiki Advisory 2006-07-03

 Japanese version may be found at http://hikiwiki.org/ja/advisory20060703.html.

Vurlnerability in Hiki

Hiki Development Team

2006-07-03

I. Overview

Hiki is a Wiki clone in Ruby. A DoS vulnerability is discovered in Hiki. A remote attacker can make your server inaccessible.

II. Systems affected

Hiki 0.6.0-0.6.5, 0.8.0 - 0.8.5
Vulnerable

III. Problems

(1) A process to getting a diff may cost a long time. Getting a diff between pages may cost quite a long time because the diff algorithm used in Hiki is O(n**2) one in the worst case.

Older versions of Hiki does not consider about heavy processes, so resources of the server may be wasted.

IV. Corrections

Time limitation on processing incoming requests is added by using Ruby's timeout library. It is 30 seconds in the default settings. This is configurable by the variable @timeout in hikiconf.rb.

V. Solution

Hiki Development Team has released version 0.8.6 as corrections of the vulnerability. Please update your system as soon as possible.

[Related information]

Following documents are updated regularly. Please check for the latest version.

[Revision history]

:2005/07/03 1.0 <http://hikiwiki.org/en/advisory20060703.html>:First version in English.

Last modified:2006/07/03 12:01:54
Keyword(s):
References:[FrontPage]

Search

Hiki

Recent

2008-10-01
2008-09-28
2008-09-19
2008-08-15
2008-08-14
2008-06-23
2008-06-15
2008-04-06
2008-03-10
2008-03-06
2008-01-16
2007-12-30
2007-12-28
2007-12-22
2007-12-18
2007-12-13
Generated by Hiki 0.8.7 (2008-02-08).
Powered by Ruby 1.8.5 (2006-08-25).
Founded by Hiki development team.