Hiki Advisory 2006-07-03

Hiki Development Team

2006-07-03

I. Overview

Hiki is a Wiki clone in Ruby. A DoS vulnerability is discovered in Hiki. A remote attacker can make your server inaccessible.

II. Systems affected

Hiki 0.6.0-0.6.5, 0.8.0 - 0.8.5

Vulnerable

III. Problems

(1) A process to getting a diff may cost a long time. Getting a diff between pages may cost quite a long time because the diff algorithm used in Hiki is O(n**2) one in the worst case.

Older versions of Hiki does not consider about heavy processes, so resources of the server may be wasted.

IV. Corrections

Time limitation on processing incoming requests is added by using Ruby's timeout library. It is 30 seconds in the default settings. This is configurable by the variable @timeout in hikiconf.rb.

V. Solution

Hiki Development Team has released version 0.8.6 as corrections of the vulnerability. Please update your system as soon as possible.

[Related information]

Following documents are updated regularly. Please check for the latest version.

• JVN#98836916 http://jvn.jp/jp/JVN%2398836916/
• Hiki Official Site http://hikiwiki.org/
• lace wedding dresses

[Revision history]

2005/07/03 1.0 <http

//hikiwiki.org/en/advisory20060703.html>:First version in English.