Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TWiki Access Control Bugs in rdiff and preview May Let Remote Users Access Restricted Content
|
|
SecurityTracker Alert ID: 1015843
|
|
SecurityTracker URL: http://securitytracker.com/id?1015843
|
|
CVE Reference: CVE-2006-1386
(Links to External Site)
|
Date: Mar 29 2006
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0.0, 4.0.1
|
Description: A vulnerability was reported in TWiki. A remote user may be able to view restricted content.
A user may be able to invoke the rdiff and preview scripts (instead of the view script) to view restricted content.
A demonstration
exploit URL is provided:
http://[target]/bin/preview/Secret/WebHome?action=foo
SergejZagursky and SteffenPoulsen discovered
these vulnerabilities.
|
Impact: A remote user may be able to view restricted content.
|
Solution: The vendor is issuing a fixed version (4.0.2).
Also, a hotfix for 4.0.0 and 4.0.1 is available at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4RdiffPreviewAccess
|
Vendor URL: twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4RdiffPreviewAccess (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Peter Thoeny <peter@thoeny.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 25 Mar 2006 12:22:14 -0800
From: Peter Thoeny <peter@thoeny.org>
Subject: Security Alert: TWiki rdiff and preview scripts ignore access control
|
This advisory alerts TWiki administrators of a potential
security issue with TWiki 4.0 installations: The rdiff
and preview scripts ignore access control settings,
allowing unautorized users to view restricted content.
For updates on this advisory, please check [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4RdiffPreviewAccess
TOC:
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Authors and Credits
* Hotfix for TWiki 4.0.0 and TWiki 4.0.1
---++ Vulnerable Software Version
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
---++ Attack Vectors
With obscure use of the rdiff and preview scripts it is possible
to view access restricted content.
---++ Impact
An unautorized user can view access restricted areas and gain
access to confidential content in TWiki topics.
---++ Severity Level
The TWiki SecurityTeam [2] triaged this issue as documented in
TWikiSecurityAlertProcess [3] and assigned the following severity
level:
* Severity 2 issue: The TWiki installation is compromised
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-1386 to this vulnerability.
---++ Details
To reproduce the rdiff vulnerability:
Add this to an existing topic:
* Set DENYTOPICVIEW = Main.YourWikiName
View the topic. You will be denied view. Now edit the URL and
replace view with rdiff. Now you can see the most recent
changes, even those done after the DENYTOPICVIEW was added.
To reproduce the preview vulnerability:
An unauthorized user can access a restricted web by using the
preview script instead of the view script. Example URL to
access the restricted web called Secret:
http://wiki.example.com/bin/preview/Secret/WebHome?action=foo
---++ Countermeasures
* Apply hotfix
* Upgrade to TWiki 4.0.2 (to be released in a few days)
---++ Authors and Credits
* Credit to TWiki:Main.SergejZagursky for disclosing the issue
to the bug tracker
* Credit to TWiki:Main.SteffenPoulsen for disclosing the issue
to the bug tracker
* TWiki:Main.CrawfordCurrie for providing a fix in TWiki 4.0.2
* TWiki:Main.JasonHill for providing the patch files
* TWiki:Main.PeterThoeny for providing the hotfix and for
creating the advisory
---++ Hotfix for TWiki 4.0.0 and TWiki 4.0.1
Hotfix for rdiff script:
In file twiki/lib/TWiki/UI/RDiff.pm, find sub diff. 10 lines lower in
the file you will find the following line:
TWiki::UI::checkTopicExists( $session, $webName, $topic, 'diff' );
Add the following line immediately after it:
TWiki::UI::checkAccess( $session, $webName, $topic, 'view',
$session->{user} );
Hotfix for preview script:
In file =twiki/lib/TWiki/UI/Save.pm= find the following lines:
if( $topicExists ) {
( $prevMeta, $prevText ) =
$store->readTopic( undef, $webName, $topic, undef );
if( $prevMeta ) {
foreach my $k ( keys %$prevMeta ) {
Change the call to 'readTopic' to:
$store->readTopic( $user, $webName, $topic, undef );
NOTE: Patch files are available on TWiki.org's securit alert
page [1].
-- Contributors: Peter Thoeny [4], Crawford Currie [5],
Steffen Poulsen [6], Jason Hill [7] - 25 Mar 2006
[1]:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertTWiki4RdiffPreviewAccess
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://twiki.org/cgi-bin/view/Main/PeterThoeny and
http://structuredwikis.com/
[5]: http://twiki.org/cgi-bin/view/Main/CrawfordCurrie and
http://c-dot.co.uk/
[6]: http://twiki.org/cgi-bin/view/Main/SteffenPoulsen
[7]: http://twiki.org/cgi-bin/view/Main/JasonHill
--
* Peter Thoeny Peter@Thoeny.org
* Is your team already TWiki enabled? http://TWiki.org
* This e-mail is: (x) public (_) ask first (_) private
|
|
Go to the Top of This SecurityTracker Archive Page
|
