SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in '%MAKETEXT{}%' Parameter Lets Remote Users Execute Arbitrary Shell Commands
SecurityTracker Alert ID:  1028149
SecurityTracker URL:  http://securitytracker.com/id/1028149
CVE Reference:   CVE-2013-1751   (Links to External Site)
Date:  Feb 18 2013
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.1.3 and prior versions
Description:   A vulnerability was reported in TWiki. A remote user can execute arbitrary shell commands on the target system.

A remote user can send a specially crafted '%MAKETEXT{}%' TWiki parameter value containing Perl backtick characters to execute arbitrary shell commands on the target system. The commands will run with the privileges of the target web service.

Systems with localization enabled are affected.

[Editor's note: This flaw is related to CVE-2012-6329 (Alert ID 1027908)].

The vendor was notified on February 12, 2013.

John Lightsey reported this vulnerability.

Impact:   A remote user can execute arbitrary shell commands on the target system.
Solution:   The vendor has issued a fix (5.1.4).

The vendor's advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751

Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  TWiki Security Alert CVE-2013-1751: MAKETEXT Variable Has Another Shell Command Execution Issue

The %MAKETEXT{}% TWiki variable allows arbitrary shell command  
execution using tilde (~) characters. Only TWiki server with  
localization enabled are affected. This issue is a followup to  
SecurityAlert-CVE-2012-6329 of last December.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web  
2.0 Application Platform used by millions of people.

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Hotfix for TWiki Production Release 5.1.x
    * Hotfix for Older Affected TWiki Releases
    * Verify Hotfix
    * Authors and Credits
    * Action Plan with Timeline
    * External Links
    * Feedback

---++ Vulnerable Software Version

    * TWiki-5.1.0 to TWiki-5.1.3 (TWikiRelease05x01x00 to  
TWikiRelease05x01x03)
    * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
    * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
    * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
    * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
    * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Editing wiki pages and HTTP POST requests towards a TWiki server with  
enabled localization (typically port 80/TCP). Typically, prior  
authentication is necessary.

---++ Impact

An unauthenticated remote attacker can execute arbitrary shell  
commands as the webserver user, such as user nobody.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in  
TWikiSecurityAlertProcess [1] and assigned the following severity level:

    * Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name  
CVE-2013-1751 [7] to this vulnerability.

---++ Details

Shell Command execution issue: The %MAKETEXT{}% TWiki variable is used  
to localize user interface content to a language of choice. Using a  
specially crafted MAKETEXT, a malicious user can execute shell  
commands using tilde (~) characters. User input is passed to the Perl  
"eval" command without first being sanitized.

The original fix for this issue reported in SecurityAlert- 
CVE-2012-6329 [9] failed to eliminate one possible attack vector. This  
CVE applies an additional fix for the tilde character issue.

TWiki is not vulnerable if the {UserInerfaceInternationalization}  
configure setting is disabled, or if Locale::Maketext has been  
upgraded to version 1.23 as advised in SecurityAlert-CVE-2012-6329 [9].

---++ Countermeasures

   * One of:
      * Disable localization by setting configure flag  
{UserInterfaceInternationalisation} to 0.
      * Apply hotfix (see patch below).
      * Upgrade to the latest patched production release TWiki-5.1.4  
(TWikiRelease05x01x04) [2].

   * In addition:
      * Install CPAN:Locale::Maketext version 1.23 or newer.
      * Use the {SafeEnvPath} configure setting to restrict the  
possible directories that are searched for executables.  By default,  
this is the PATH used by the webserver user. Set {SafeEnvPath} to a  
list of non-writable directories, such as "/bin:/usr/bin".

---++ Hotfix for TWiki Production Release 5.1.x

Affected file: twiki/lib/TWiki.pm

Patch to sanitize MAKETEXT parameters:

=======( 8>< CUT )===============================================
--- TWiki.pm   (revision 25065)
+++ TWiki.pm   (working copy)
@@ -4328,8 +4328,8 @@
      $str =~ s/\]/~]/g;

      # restore already escaped stuff:
-    $str =~ s/~~\[/~[/g;
-    $str =~ s/~~\]/~]/g;
+    $str =~ s/~~+\[/~[/g;
+    $str =~ s/~~+\]/~]/g;

      # unescape parameters and calculate highest parameter number:
      my $max = 0;
=======( 8>< CUT )===============================================

This patch is handled at TWikibug Item7145 [8].

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch:

    * Add this to a topic:
      %MAKETEXT{"~~[quant,4, singular, plural, ~~]"}%
    * Expected output with internationalization enabled:
      [quant,4,singular,plural]
    * Expected output with internationalization disabled:
      ~[quant,4,singular,plural~]
    * Output on a vulnerable site:
      ~4 plural

---++ Authors and Credits

    * Credit to John Lightsey (john [at] nixnuts.net) for disclosing  
the issue to the twiki-security@lists.sourceforge.net mailing list,  
and for providing a proposed fix.
    * TWiki:Main.PeterThoeny for creating the fix, patch and advisory.

---++ Action Plan with Timeline

    * 2013-02-12 - John Lightsey of nixnuts.net discloses issue to  
TWikiSecurityMailingList [4]
    * 2013-02-13 - developer verifies issue - Peter Thoeny
    * 2013-02-15 - developer fixes code - Peter Thoeny
    * 2013-02-15 - security team creates advisory with hotfix - Peter  
Thoeny
    * 2013-02-16 - send alert to TWikiAnnounceMailingList [5] and  
TWikiDevMailingList [6] - Peter Thoeny
    * 2013-02-18 - publish advisory in Codev web and update all  
related topics - Peter Thoeny
    * 2013-02-18 - issue a public security advisory to full- 
disclosure[at]lists.grok.org.uk, cert[at]cert.org,  
vuln[at]secunia.com, bugs[at]securitytracker.com,  
submissions[at]packetstormsecurity.org - Peter Thoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x04
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1751 - CVE  
on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7145
[9]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

---++ Feedback

Please provide feedback at the security alert topic at
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

-- Peter Thoeny - http://twiki.org/ - 2013-02-18


-- 
   * Peter Thoeny     - peter09[at]thoeny.org
   * http://TWiki.org - is your team already TWiki enabled?
   * Knowledge cannot be managed, it can be discovered and shared
   * This e-mail is:   (_) private    (_) ask first    (x) public

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC