SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in WebSearch Topic Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031400
SecurityTracker URL:  http://securitytracker.com/id/1031400
CVE Reference:   CVE-2014-9367   (Links to External Site)
Date:  Dec 18 2014
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0, 6.0.1
Description:   A vulnerability was reported in TWiki. A remote user can conduct cross-site scripting attacks.

The system does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The WebSearch topic is affected.

A demonstration exploit URL is provided:

http://[target]/do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnerable!')

The vendor was notified on December 9, 2014.

Robert Abela and Onur Yilmaz of Netsparker reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a patch, available in the advisory.

The vendor's advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367

Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  TWiki Security Alert CVE-2014-9367: XSS Vulnerability with Scope and Other URL Parameters of WebSearch

This is an advisory for TWiki Administrators: A specially crafted URL parameter to the WebSearch topic may expose a cross-site scripting vulnerability.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix for TWiki Production Release
   * Verify Hotfix
   * Authors and Credits
   * Action Plan with Timeline
   * External Links
   * Feedback

---++ Vulnerable Software Version

   * TWiki-6.0.0 and TWiki-6.0.1 [2]

---++ Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).

---++ Impact

Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

   * Severity 3 issue: TWiki content or browser is compromised. 

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-9367 [7] to this vulnerability. 

---++ Details

A malicious person can use specially crafted URL parameters to TWiki's WebSearch topic that execute arbitrary JavaScript code in the browser. Examples:

Specially crafted parameter to the view script of TWiki's WebSearch topic:

GET /do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')</script>

TWiki decodes the URL parameters and pops up a !JavaScript alert box showing "CVE-2014-9367 vulnarable!"

---++ Countermeasures

   * Apply hotfix (see patch below).
   * Use the web server software to restrict access to the web pages served by TWiki.

---++ Hotfix for TWiki Production Release

No TWiki patch release will be done to address this issue. Instead, apply the patches below.

---+++ Patch lib/TWiki.pm

Affected file: =twiki/lib/TWiki.pm=

The patch removes the single quote (') from the regular expression set in sub urlEncode of TWiki.pm: 

=======( 8>< CUT )===============================================
--- lib/TWiki.pm   (revision 28490)
+++ lib/TWiki.pm   (working copy)
@@ -3178,7 +3178,7 @@
 sub urlEncode {
     my $text = shift;
 
-    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;
+    $text =~ s/([^0-9a-zA-Z-_.:~!*\/])/'%'.sprintf('%02x',ord($1))/ge;
 
     return $text;
 }
=======( 8>< CUT )===============================================

The patch might be managed in the e-mail. Get this patch from http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7596 [8]

---+++ Patch TWiki system topics

Affected topics:

   * TWiki.SearchResultsPagination - source:
     http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/SearchResultsPagination?raw=on
   * TWiki.WebSearch - source:
     http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/WebSearch?raw=on
   * TWiki.WebSearchAdvanced - source:
     http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/WebSearchAdvanced?raw=on

To patch, copy the source of these topics, and do a "Raw Edit" on your topics to replace their content.

__Notes:__

   * Learn how to apply patches: http://twiki.org/cgi-bin/view/Codev/HowToApplyPatch
   * This issue is tracked at: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7596

---++ Verify Hotfix

To verify the patch add the following parameter to TWiki's WebSearch topic:

http://twiki.example.com/do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')

The site is vulnerable if consecutive dialog boxes are shown with text "CVE-2014-9367 vulnerable!" 

---++ Authors and Credits

   * Credit to Robert Abela ( robert[at]netsparker.com) and Onur Yilmaz (onur[at]netsparker.com) for disclosing the issue to thetwiki-security@lists.sourceforge.net mailing list.
   * Peter Thoeny for verifying the issue, creating a fix, and creating the patch and advisory.

---++ Action Plan with Timeline

   * 2014-12-09 - Robert Abela of Netsparker (https://www.netsparker.com/) discloses issue to TWikiSecurityMailingList
   * 2014-12-09 - developer verifies issue - Peter Thoeny
   * 2014-12-09 - developer fixes code - Peter Thoeny
   * 2014-12-15 - security team creates advisory with hotfix - Peter Thoeny
   * 2014-12-16 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - Peter Thoeny
   * 2014-12-18 - publish advisory in Codev web and update all related topics - Peter Thoeny
   * 2014-12-18 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - Peter Thoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367 (will be created on 2014-12-18)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9367 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7596

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367

-- Peter Thoeny - 2014-12-18


--
> Peter Thoeny     - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is:   (_) private    (_) ask first    (x) public

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC