Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TWiki History Function Input Validation Hole Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1014918
|
|
SecurityTracker URL: http://securitytracker.com/id?1014918
|
|
CVE Reference: CAN-2005-2877
(Links to External Site)
|
Date: Sep 16 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): TWiki20040902 and prior versions
|
Description: A vulnerability was reported in TWiki in the history function. A remote user can execute arbitrary commands on the target system.
The TWiki revision control function does not properly validate user-supplied input. A remote user can supply a specially crafted
URL containing shell metacharacters to execute arbitrary commands on the target system. The commands will run with the privileges
of the target web service.
A demonstration exploit is provided:
/cgi-bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd
The
vendor credits B4dP4nd4 with reporting this vulnerability.
|
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
|
Solution: The vendor has issued a hotfix, described in the vendor's advisory at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
|
Vendor URL: twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Sap ." <0xsapx0@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 14 Sep 2005 10:23:58 -0700
From: "Sap ." <0xsapx0@gmail.com>
Subject: TWiki Remote Command Execution Vulnerability
|
This advisory alerts you of a potential security issue with your
TWiki installation: The TWiki history function allows arbitrary
shell command execution. The permanent place for this advisory is
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev .
Please see updates and follow-up on that topic.
If you do not use TWiki, please ignore this e-mail. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.
Table of Contents:
* Vulnerable Software Version
* Attack Vectors
* Impact
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Authors and Credits
* Hotfix
* Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004
* Patch for TWiki Production Release 01-Feb-2003
* Patch for TWiki Production Release 01-Dec-2001
* Patch for TWiki Production Release 01-Dec-2000
* TWiki News
---++ Vulnerable Software Version
* TWikiRelease02Sep2004[2] -- TWiki20040902.zip
* TWikiRelease01Sep2004[3] -- TWiki20040901.zip
* TWikiRelease01Feb2003[4] -- TWiki20030201.zip
* TWikiRelease01Dec2001[5] -- TWiki20011201.zip
* TWikiRelease01Dec2000[6] -- TWiki20001201.zip
Not affected are:
* Recent DakarReleases[7] (upcoming production release, soon)
* TWikiRelease01Sep2004 patched with Florian Weimer's
UncoordinatedSecurityAlert23Feb2005[8]
---++ Attack Vectors
HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.
Possibly also HTTP POST, but this is untested.
---++ Impact
An attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the
name CAN-2005-2877 to this vulnerability.
---++ Details
The TWiki revision control function uses a user supplied URL
parameter to compose a command line executed by the Perl backtick
(``) operator.
The URL parameter is not checked properly for shell metacharacters
and is thus vulnerable to revision numbers containing pipes and
shell commands. Exploit is possible on topics with two or more
revisions.
Example URL path with exploited rev parameter:
/cgi-bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd
If access to TWiki is not restricted by other means, attackers can
use the revision function without prior authentication.
See Also: SecurityAlertExecuteCommandsWithSearch[9] and
UncoordinatedSecurityAlert23Feb2005[8]
---++ Countermeasures
* Apply hotfix (see patches below)
* NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix
* Upgrade to the latest patched production TWikiRelease03Sep2004[1]
* NOTE: If you are running an *unmodified*
TWikiRelease02Sep2004[2], simply copy the patched
lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm,
lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your
installation
* Apply patch of UncoordinatedSecurityAlert23Feb2005[6] (but see
known issues of that patch)
* Filter access to the web server
* Use the web server software to restrict access to the web pages
served by TWiki
---++ Authors and Credits
* Credit to B4dP4nd4 (b4dp4nd4@gmail.com) for disclosing the issue
to the twiki-security@lists.sourceforge.net mailing list
* PeterThoeny, CrawfordCurrie, SvenDowideit, ColasNahaboo,
WillNorris, RichardDonkin, B4dP4nd4 and Florian Weimer for
contributing to this advisory
---++ Hotfix
---+++ Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004
Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/lib/TWiki/UI/RDiff.pm=,
=twiki/lib/TWiki/UI/View.pm=, =twiki/lib/TWiki/UI/Viewfile.pm=
See also attached patch file TWiki200409-02-03.patch
--- lib/TWiki/Store.pm.orig Thu Jul 22 01:43:40 2004
+++ lib/TWiki/Store.pm Thu Sep 8 21:30:44 2005
@@ -572,7 +572,9 @@
}
$theRev = "" unless( $theRev );
- $theRev =~ s/^1\.//o;
+ $theRev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
$topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
--- lib/TWiki/UI/RDiff.pm.orig Sun Aug 8 01:28:45 2004
+++ lib/TWiki/UI/RDiff.pm Thu Sep 8 21:33:13 2005
@@ -409,6 +409,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+ $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- lib/TWiki/UI/View.pm.orig Tue Aug 24 23:36:15 2004
+++ lib/TWiki/UI/View.pm Thu Sep 8 21:34:52 2005
@@ -107,6 +107,8 @@
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
--- lib/TWiki/UI/Viewfile.pm.orig Fri May 28 23:51:35 2004
+++ lib/TWiki/UI/Viewfile.pm Thu Sep 8 21:35:59 2005
@@ -43,6 +43,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
+ $rev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
return unless TWiki::UI::webExists( $webName, $topic );
---+++ Patch for TWiki Production Release 01-Feb-2003
Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/bin/rdiff=,
=twiki/bin/view=, =twiki/bin/viewfile=
--- lib/TWiki/Store.pm.orig Sat Jan 4 17:36:56 2003
+++ lib/TWiki/Store.pm Thu Sep 8 23:10:58 2005
@@ -351,9 +351,11 @@
if( ! $theWebName ) {
$theWebName = $TWiki::webName;
}
- $theRev =~ s/^1\.//o;
+ $theRev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
$topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
--- bin/rdiff.orig Sat Feb 1 00:57:32 2003
+++ bin/rdiff Thu Sep 8 23:18:05 2005
@@ -155,6 +155,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+ $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- bin/view.orig Thu Jan 30 00:21:25 2003
+++ bin/view Thu Sep 8 23:13:47 2005
@@ -123,6 +123,8 @@
writeDebug( "maxrev = $maxrev" );
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
--- bin/viewfile.orig Sun Jan 5 00:36:54 2003
+++ bin/viewfile Thu Sep 8 23:14:54 2005
@@ -63,6 +63,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
+ $rev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic,
$fileName );
if( ( $rev ) && ( $rev ne $topRev ) ) {
---+++ Patch for TWiki Production Release 01-Dec-2001
Affected files: =twiki/bin/rdiff=, =twiki/bin/view=, =twiki/bin/viewfile=
--- bin/rdiff.orig Tue Nov 13 18:59:02 2001
+++ bin/rdiff Thu Sep 8 23:51:50 2005
@@ -149,6 +149,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+ $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- bin/view.orig Mon Dec 3 09:11:20 2001
+++ bin/view Thu Sep 8 23:52:57 2005
@@ -114,6 +114,8 @@
writeDebug( "maxrev = $maxrev" );
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
--- bin/viewfile.orig Fri Oct 5 18:03:20 2001
+++ bin/viewfile Thu Sep 8 23:53:45 2005
@@ -62,6 +62,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
+ $rev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic,
$fileName );
if( ( $rev ) && ( $rev ne $topRev ) ) {
---+++ Patch for TWiki Production Release 01-Dec-2000
Affected files: =twiki/bin/rdiff=, =twiki/bin/view=
--- bin/rdiff.orig Tue Nov 14 23:08:48 2000
+++ bin/rdiff Fri Sep 9 00:04:25 2005
@@ -139,6 +139,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/1\.//go; # cut major
$rev2 =~ s/1\.//go; # cut major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+ $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- bin/view.orig Tue Nov 14 23:14:31 2000
+++ bin/view Fri Sep 9 00:05:10 2005
@@ -77,6 +77,8 @@
$maxrev =~ s/1\.//go; # cut major
if( $rev ) {
$rev =~ s/1\.//go; # cut major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
$text= &wiki::readVersion( $topic, "1.$rev" );
---++ TWiki News
* A new TWiki release is upcoming soon, code named DakarRelease[7]
* To customize your TWiki installation, TWiki.org offers now
177 Plugin packages[11], 56 Add-on packages[10], 30 Skin
packages[12], and 11 TWiki contrib packages [13]
* Codev.TWikiSecurityAlertProcess[14] documents our security
process
* Wikis and TWiki get covered more my the press[15]
* TWiki is represented at the International Symposium on Wikis[16]
in San Diego, 17-18 Oct 2005
* A new book on Wikis in the Workplace is in work[17]
Best regards,
Peter
[1]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease03Sep2004
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease02Sep2004
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Dec2001
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Dec2000
[7]: http://twiki.org/cgi-bin/view/Codev/DakarReleases
[8]: http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005
[9]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
[10]: http://twiki.org/cgi-bin/view/Plugins/AddOnPackage
[11]: http://twiki.org/cgi-bin/view/Plugins/PluginPackage
[12]: http://twiki.org/cgi-bin/view/Plugins/SkinPackage
[13]: http://twiki.org/cgi-bin/view/Plugins/ContribPackage
[14]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[15]: http://twiki.org/cgi-bin/view/Codev/TWikiInTheNews
[16]: http://twiki.org/cgi-bin/view/Codev/InternationalSymposiumOnWikis
[17]: http://twiki.org/cgi-bin/view/Codev/WikisInTheWorkplaceBook
--
* Peter Thoeny Peter@Thoeny.com
* Is your team already TWiki enabled? http://TWiki.org
* This e-mail is: (x) public (_) ask first (_) private
--- ../TWiki20040902/lib/TWiki/Store.pm 2004-07-22 10:43:40.000000000 +0200
+++ lib/TWiki/Store.pm 2005-09-09 06:30:44.000000000 +0200
@@ -572,7 +572,9 @@
}
$theRev = "" unless( $theRev );
- $theRev =~ s/^1\.//o;
+ $theRev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
$topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
--- ../TWiki20040902/lib/TWiki/UI/RDiff.pm 2004-08-08
10:28:45.000000000 +0200
+++ lib/TWiki/UI/RDiff.pm 2005-09-09 06:33:13.000000000 +0200
@@ -409,6 +409,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+ $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- ../TWiki20040902/lib/TWiki/UI/Viewfile.pm 2004-05-29
08:51:35.000000000 +0200
+++ lib/TWiki/UI/Viewfile.pm 2005-09-09 06:35:59.000000000 +0200
@@ -43,6 +43,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
+ $rev =~ s/r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
return unless TWiki::UI::webExists( $webName, $topic );
--- ../TWiki20040902/lib/TWiki/UI/View.pm 2004-08-25
08:36:15.000000000 +0200
+++ lib/TWiki/UI/View.pm 2005-09-09 06:34:52.000000000 +0200
@@ -107,6 +107,8 @@
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+ $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
--- ../TWiki20040902/lib/TWiki.pm 2004-11-20 06:31:53.000000000 +0100
+++ lib/TWiki.pm 2005-09-10 03:01:49.000000000 +0200
@@ -154,7 +154,7 @@
# ===========================
# TWiki version:
-$wikiversion = '02 Sep 2004 $Rev: 1742 $';
+$wikiversion = '03 Sep 2004 $Rev: 1742 $';
# ===========================
# Key Global variables, required for writeDebug
--- ../TWiki20040902/license.txt 2004-11-20 06:31:10.000000000 +0100
+++ license.txt 2005-09-10 03:04:46.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright and License of TWiki, 02 Sep 2004
+Copyright and License of TWiki, 03 Sep 2004
-------------------------------------------
TWiki (TM) is copyrighted (C) 1999-2004 by Peter Thoeny,
--- ../TWiki20040902/readme.txt 2004-11-20 06:37:33.000000000 +0100
+++ readme.txt 2005-09-10 03:05:03.000000000 +0200
@@ -5,7 +5,7 @@
TWiki Distribution
------------------
-Version: 02 Sep 2004 $Rev: 1742 $
+Version: 03 Sep 2004 $Rev: 1742 $
Release type: Production release
This version is TWiki Release 01-Sep-2004 patched for
--- ../TWiki20040902/TWikiDocumentation.html 2004-08-31
18:35:18.000000000 +0200
+++ TWikiDocumentation.html 2005-09-10 03:09:15.000000000 +0200
@@ -1,7 +1,7 @@
<html><head>
<title>TWikiDocumentation</title>
</head><body bgcolor="#ffffff">
-<h1><a name="TWiki_Reference_Manual_01_Sep_20"> </a><a
name="_TWiki_Reference_Manual_01_Sep_2"> </a> TWiki Reference Manual
(01 Sep 2004 $Rev: 1742 $) </h1>
+<h1><a name="TWiki_Reference_Manual_03_Sep_20"> </a><a
name="_TWiki_Reference_Manual_03_Sep_2"> </a> TWiki Reference Manual
(03 Sep 2004 $Rev: 1742 $) </h1>
<p />
<script type="text/javascript">
<!--
@@ -3816,7 +3816,7 @@
</li>
</ul>
<p />
-This version of TWiki - 01 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
+This version of TWiki - 03 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
<p />
<p />
<p />
@@ -4627,7 +4627,7 @@
<ul>
<li> Syntax: <code>%WIKIVERSION%</code>
</li>
-<li> Expands to: <code>01 Sep 2004 $Rev: 1742 $</code>
+<li> Expands to: <code>03 Sep 2004 $Rev: 1742 $</code>
</li>
<li> Related: <a class="twikiAnchorLink"
href="#VarPLUGINVERSION">PLUGINVERSION</a>, <a class="twikiAnchorLink"
href="#VarWIKITOOLNAME">WIKITOOLNAME</a>
</li>
@@ -9836,4 +9836,4 @@
</li>
</ul>
<p />
-</body></html>
\ No newline at end of file
+</body></html>
|
|
Go to the Top of This SecurityTracker Archive Page
|
