SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in 'viewfile' Script Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1016805
SecurityTracker URL:  http://securitytracker.com/id/1016805
CVE Reference:   CVE-2006-4294   (Links to External Site)
Date:  Sep 7 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0.0 - 4.0.4
Description:   A vulnerability was reported in TWiki. A remote user can view files on the target system.

The viewfile script does not properly validate user-supplied input in the 'filename' parameter. A remote user can supply a specially crafted HTTP POST request to view arbitrary files on target system with the privileges of the web service.

A demonstration exploit URL is provided:

http://[target]/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd

TWiki:Main.MinsungChoi and TWiki:Main.KoenMartens reported this vulnerability to the vendor.

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   The vendor plans to issue Hotfix 3 for TWiki-4.0.4, to be available at:

http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03

The TWiki advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294

Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  TWiki Security Alert: Viewfile script allows view of arbitrary files

This is a security advisory for TWiki installations:

Unauthorized users may view arbitrary files of the server
file system with the viewfile script.

     * Vulnerable Software Version
     * Attack Vectors
     * Impact
     * Severity Level
     * MITRE Name for this Vulnerability
     * Details
     * Countermeasures
     * Hotfix
     * Authors and Credits
     * Action Plan with Timeline
     * Feedback
     * External Links


---++ Vulnerable Software Version

     * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
     * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
     * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
     * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
     * TWikiRelease04x00x00 -- TWiki-4.0.0.zip


---++ Attack Vectors

Supply a specially crafted HTTP POST request on the TWiki
viewfile script.


---++ Impact

An intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:

    * Severity 1 issue: The web server can be compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.


---++ Details

All TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the
browser.


---++ Countermeasures

    * Restrict access to the TWiki installation.
    * Apply the hotfix indicated below.

NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix


---++ Hotfix

The accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the View.pm module, fixing the known
vulnerability. Hotfix 3 will be available at
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03 in
a few days.

If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/View.pm
file:

Index: View.pm
===========================================================
--- View.pm     (revision 11339)
+++ View.pm     (working copy)
@@ -356,6 +356,7 @@
     my $topic = $session->{topicName};

     my $fileName = $query->param( 'filename' );
+   die "Illegal attachment name" if $fileName =~ m#[/\\]#;

     my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );


---++ Authors and Credits

    * Credit to TWiki:Main.MinsungChoi and
      TWiki:Main.KoenMartens for disclosing the issue to
      the twiki-security mailing list
    * TWiki:Main.CrawfordCurrie for creating a fix
    * TWiki:Main.KennethLavrsen for creating Hotfix 3 for
      TWiki release 4.0.4
    * TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
      for creating the advisory


---++ Action Plan with Timeline

    * 2006-08-20 and 08-28: User discloses vulnerability to
                  twiki-security
    * 2006-08-22: Developer verifies issue
    * 2006-08-22: Developer creates fix
    * 2006-08-31: Security team creates advisory
    * 2006-09-05: Send alert to twiki-announce mailing list
                  and twiki-dev mailing list
    * 2006-09-06: Developer creates Hotfix 3
    * 2006-09-07: Publish advisory on TWiki.org
    * 2006-09-07: Issue a public security advisory

---++ Feedback

Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04
[6]: http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03


-- Contributors: Peter Thoeny, Crawford Currie,
Kenneth Lavrsen - 07 Sep 2006


-- 
     * Peter Thoeny                       Peter@StructuredWikis.com
     * http://StructuredWikis.com - bringing wikis to the workplace
     * http://TWiki.org - is your team already TWiki enabled?
     * Knowledge cannot be managed, it can be discovered and shared
     * This e-mail is:   (_) private    (_) ask first    (x) public
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC