SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in QUERYSTRING and QUERYPARAMSTRING Parameters Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031399
SecurityTracker URL:  http://securitytracker.com/id/1031399
CVE Reference:   CVE-2014-9325   (Links to External Site)
Date:  Dec 18 2014
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0.1
Description:   A vulnerability was reported in TWiki. A remote user can conduct cross-site scripting attacks.

The system does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The QUERYSTRING and QUERYPARAMSTRING parameters are affected.

A demonstration exploit request is provided:

GET /do/view/Main/TWikiPreferences?'"--></style></script><script>alert('CVE-2014-9325 vulnerable')</script>

The vendor was notified on December 9, 2014.

Robert Abela and Onur Yilmaz of Netsparker reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a patch, available in the advisory.

The vendor's advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325

Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  TWiki Security Alert CVE-2014-9325: XSS Vulnerability with QUERYSTRING and QUERYPARAMSTRING Variables

This is an advisory for TWiki Administrators: The TWiki Variables QUERYSTRING and QUERYPARAMSTRING may expose a cross-site scripting vulnerability.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix for TWiki Production Release
   * Verify Hotfix
   * Authors and Credits
   * Action Plan with Timeline
   * External Links
   * Feedback

---++ Vulnerable Software Version

   * TWiki-6.0.1 [2]

---++ Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).

---++ Impact

Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

   * Severity 3 issue: TWiki content or browser is compromised. 

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-9325 [7] to this vulnerability. 

---++ Details

A malicious person can use specially crafted URL parameters to TWiki scripts that execute arbitrary JavaScript code in the browser. Examples:

Specially crafted parameter to the view script of TWiki:

GET /do/view/Main/TWikiPreferences?'"--></style></script><script>alert('CVE-2014-9325 vulnerable')</script>

TWiki decodes the URL parameters and pops up a !JavaScript alert box showing "CVE-2014-9325 vulnerable!"

---++ Countermeasures

   * Apply hotfix (see patch below).
   * Use the web server software to restrict access to the web pages served by TWiki.

---++ Hotfix for TWiki Production Release

No TWiki patch release will be done to address this issue. Instead, apply the patches to the two files below.

---+++ Patch lib/TWiki.pm

Affected file: =twiki/lib/TWiki.pm=

=======( 8>< CUT )===============================================
--- TWiki.pm   (revision 28488)
+++ TWiki.pm   (working copy)
@@ -4803,7 +4803,10 @@
 
 sub QUERYSTRING {
     my $this = shift;
-    return $this->{request}->queryString();
+    my $qs = $this->{request}->queryString();
+    # Item7595: Sanitize QUERYSTRING
+    $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+    return $qs;
 }
 
 sub QUERYPARAMS {
=======( 8>< CUT )===============================================

The patch might be managed in the e-mail. Get this patch from http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7595 [8]

---+++ Patch lib/TWiki/UI/View.pm

Affected file: =twiki/lib/TWiki/UI/View.pm=

=======( 8>< CUT )===============================================
--- TWiki/UI/View.pm   (revision 28488)
+++ TWiki/UI/View.pm   (working copy)
@@ -349,8 +349,14 @@
       next if ($name eq 'topic');
       push @qparams, $name => $query->param($name);
     }
-    $tmpl =~ s/%QUERYPARAMSTRING%/TWiki::_make_params(1,@qparams)/geo;
 
+    if ( $tmpl =~ /%QUERYPARAMSTRING%/ ) {
+        my $qs = TWiki::_make_params( 1, @qparams );
+        # Item7595: Sanitize QUERYPARAMSTRING
+        $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+        $tmpl =~ s/%QUERYPARAMSTRING%/$qs/go;
+    }
+
     # extract header and footer from the template, if there is a
     # %TEXT% tag marking the split point. The topic text is inserted
     # in place of the %TEXT% tag. The text before this tag is inserted
=======( 8>< CUT )===============================================

__Notes:__

   * Learn how to apply patches: http://twiki.org/cgi-bin/view/Codev/HowToApplyPatch
   * This issue is tracked at: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7595

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?'"--></style></script><script>alert('CVE-2014-9325 vulnerable')</script>

The site is vulnerable if a dialog box is shown with text "CVE-2014-9325 vulnerable!" 

---++ Authors and Credits

   * Credit to Robert Abela ( robert[at]netsparker.com) and Onur Yilmaz (onur[at]netsparker.com) for disclosing the issue to thetwiki-security@lists.sourceforge.net mailing list.
   * Peter Thoeny for verifying the issue, creating a fix, and creating the patch and advisory.

---++ Action Plan with Timeline

   * 2014-12-09 - Robert Abela of Netsparker (https://www.netsparker.com/) discloses issue to TWikiSecurityMailingList
   * 2014-12-09 - developer verifies issue - Peter Thoeny
   * 2014-12-09 - developer fixes code - Peter Thoeny
   * 2014-12-15 - security team creates advisory with hotfix - Peter Thoeny
   * 2014-12-16 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - Peter Thoeny
   * 2014-12-18 - publish advisory in Codev web and update all related topics - Peter Thoeny
   * 2014-12-18 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - Peter Thoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325 (will be created on 2014-12-18)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9325 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7595

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325

-- Peter Thoeny - 2014-12-18


--
> Peter Thoeny     - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is:   (_) private    (_) ask first    (x) public

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC