SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in %URLPARAM{}% Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1021351
SecurityTracker URL:  http://securitytracker.com/id/1021351
CVE Reference:   CVE-2008-5304   (Links to External Site)
Date:  Dec 5 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.2.4
Description:   A vulnerability was reported in TWiki. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input in the TWiki %URLPARAM{}% parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Marc Schoenefeld and TWiki:Main.SteveMilner of Red Hat Security Response Team reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (4.2.4).

A hotfix is also available for versions 4.2.x.

The vendor's advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304
Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  TWiki Security Alert CVE-2008-5304: Cross-site scripting vulnerability with TWiki URLPARAM variable

This is a security advisory for TWiki installations:

The %URLPARAM{}% TWiki variable may expose a cross-site scripting  
(XSS) vulnerability. The TWiki.org advisory is at http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304

(See also unrelated TWiki Security Alert CVE-2008-5305 - TWiki SEARCH  
variable allows arbitrary shell command execution.)

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Authors and Credits
    * Hotfix for TWiki Production Release 4.2.x
    * Fixing older TWiki Releases
    * Feedback
    * External Links


---++ Vulnerable Software Version

    * TWikiRelease04x02x03 -- TWiki-4.2.3.zip
    * TWikiRelease04x02x02 -- TWiki-4.2.2.zip
    * TWikiRelease04x02x01 -- TWiki-4.2.1.zip
    * TWikiRelease04x02x00 -- TWiki-4.2.0.zip
    * TWikiRelease04x01x02 -- TWiki-4.1.2.zip
    * TWikiRelease04x01x01 -- TWiki-4.1.1.zip
    * TWikiRelease04x01x00 -- TWiki-4.1.0.zip
    * TWikiRelease04x00x05 -- TWiki-4.0.5.zip
    * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
    * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
    * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
    * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00 -- TWiki-4.0.0.zip
    * and older versions

---++ Attack Vectors

Editing wiki pages and HTTP GET requests towards the wiki server  
(typically port 80/TCP). Typically, prior authentication is necessary  
(including anonymous TWikiGuest accounts).


---++ Impact

An unauthenticated remote attacker could exploit an XSS attack on a  
TWiki site.


---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in  
TWikiSecurityAlertProcess and assigned the following severity level:

    * Severity 3 issue: TWiki content or browser is compromised

__Note:__ Severity 3 issues are usually handled as bugs without an  
advisory, but this time an advisory is issued to raise the awareness  
on possible XSS attacks.


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name  
CVE-2008-5304 to this vulnerability, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5304


---++ Details

The %URLPARAM{}% TWiki variable is a powerful command to create  
dynamic wiki content and wiki applications. If a URLPARAM is not  
properly encoded it may be open to XSS attacks. http://en.wikipedia.org/wiki/Cross-site_scripting 
  has details on XSS.

Specifically, the XSS vulnerability exists if the URLPARAM is used  
inside an HTML form field value without adding proper encoding. Example:

<input type="text" name="city" value="%URLPARAM{ "city" }%" />

The attacker could construct a 'city' URL parameter with a double  
quote to close the input value="" attribute, followed by additional  
attributes.

Example 1:
    * Go to http://example.com/twiki/view/TWiki/WebSearch?search=%27a%20onmouseover=alert(document.cookie)%20%27
    * Move your mouse over the 'Advanced search' link about half way  
down the page.
    * You should see a javascript popup that wasn't there before.

Example 2:
    * Go to http://example.com/twiki/view/TWiki/ResetPassword? 
username="<script language=Javascript>alert('3y3 0wn j00 TWIKI')</ 
script>
    * You should see a javascript popup that wasn't there before.

To avoid XSS attacks, a URLPARAM inside a HTML form field value needs  
to be entity encoded. This will escape special characters, so that  
content will be displayed verbatim in the input field. Example of  
properly encoding a URLPARAM in an input field value:

<input type="text" name="city" value="%URLPARAM{ "city"  
encode="entity" }%" />

The TWiki distributions contains a number of pages that have non- 
encoded URLPARAMs in HTML input fields. Those pages need to be fixed  
to avoid XSS attacks.

One might think that URLPARAM should always be encoded. This is not a  
viable option since it would introduce an incompatible spec change  
that would break many dynamic reports and TWiki applications.

The responsibility relies with the users to monitor and/or lock down  
wiki content to counter XSS exploits. Study http://twiki.org/cgi-bin/view/TWiki/VarURLPARAM 
  on proper use of URLPARAM.


---++ Countermeasures

    * Apply hotfix (see patch below).
    * Upgrade to the latest patched production TWiki-4.2.4  
(TWikiRelease04x02x04 to be released shortly).
    * Use the web server software to restrict access to the web pages  
served by TWiki.
    * Search your wiki content for %URLPARAM and encode them where  
needed.


---++ Authors and Credits

    * Credit to Marc Schoenefeld and TWiki:Main.SteveMilner of Red Hat  
Security Response Team for disclosing the issue to the twiki-security@lists.sourceforge.net 
  mailing list, and for providing a proposed fix.
    * TWiki:Main.PeterThoeny, TWiki:SopanShewale for contributing to  
the fix, patch and advisory.


---++ Hotfix for TWiki Production Release 4.2.x

*Affected files:*
   * twiki/data/TWiki/ChangePassword.txt
   * twiki/data/TWiki/ChangePassword.txt,v
   * twiki/data/TWiki/FormattedSearch.txt
   * twiki/data/TWiki/FormattedSearch.txt,v
   * twiki/data/TWiki/ResetPassword.txt
   * twiki/data/TWiki/ResetPassword.txt,v
   * twiki/data/TWiki/VarURLPARAM.txt
   * twiki/data/TWiki/VarURLPARAM.txt,v
   * twiki/data/TWiki/WebAtomBase.txt
   * twiki/data/TWiki/WebAtomBase.txt,v
   * twiki/data/TWiki/WebCreateNewTopicTemplate.txt
   * twiki/data/TWiki/WebCreateNewTopicTemplate.txt,v
   * twiki/data/TWiki/WebRssBase.txt
   * twiki/data/TWiki/WebRssBase.txt,v
   * twiki/data/TWiki/WebSearchAdvanced.txt
   * twiki/data/TWiki/WebSearchAdvanced.txt,v
   * twiki/data/TWiki/WebSearch.txt
   * twiki/data/TWiki/WebSearch.txt,v

*Hotfix:* Unzip SecurityAlert-CVE-2008-5304-hotfix.zip file attached  
to http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304  
into your TWiki directory, preserving the directory structure. All  
files should go into the twiki/data/TWiki directory.


---++ Fixing older TWiki Releases

There is no hotfix for older releases. Upgrade to the latest TWiki  
version, or search your wiki content for %URLPARAM and encode them  
where needed.


---++ Feedback

Please provide feedback at the security alert page on twiki.org,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304


---++ External Links

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304 - CVE  
on twiki.org
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5304 - CVE on  
MITRE.org
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess -  
security alert process
http://twiki.org/cgi-bin/view/Codev/DownloadTWiki - download latest  
TWiki release


-- Contributors: Marc Schoenefeld, Steve Milner, Sopan Shewale, Peter  
Thoeny - 05 Dec 2008


-- 
   * Peter Thoeny, CTO - peter.thoeny.public@twiki.net
   * http://twiki.net  - TWIKI.NET - the Enterprise Wiki
   * http://twiki.org  - is your team already TWiki enabled?
   * Knowledge cannot be managed, it can be discovered and shared
   * This e-mail is:   (_) private    (_) ask first    (x) public


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC