SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:   TWiki.org
TWiki Input Validation Flaw in the 'origurl' Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1025542
SecurityTracker URL:  http://securitytracker.com/id/1025542
CVE Reference:   CVE-2011-1838   (Links to External Site)
Date:  May 18 2011
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0.1 and prior versions
Description:   A vulnerability was reported in TWiki. A remote user can conduct cross-site scripting attacks.

The view and login scripts do not properly filter HTML code from user-supplied input in the 'origurl' parameter before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TWiki software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The original advisory is available at:

http://www.mavitunasecurity.com/xss-vulnerability-in-twiki/

Mesut Timur reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (5.0.2).

A hotfix is also available.

The vendor's advisory is available at:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-1838

Vendor URL:  twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-1838 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CVE-2011-1838: TWiki XSS Vulnerability with origurl parameter of login script

This advisory alerts you of two potential security issues with your  
TWiki installation: The login script may expose a cross-site scripting  
vulnerability when using the origurl parameter.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix for TWiki Production Releases
   * Authors and Credits
   * Action Plan with Timeline
   * External Links
   * Feedback


---++ Vulnerable Software Version

   * TWikiRelease05x00x01 -- TWiki-5.0.1.zip
   * TWikiRelease05x00x00 -- TWiki-5.0.0.zip
   * TWikiRelease04x03x02 -- TWiki-4.3.2.zip
   * TWikiRelease04x03x01 -- TWiki-4.3.1.zip
   * TWikiRelease04x03x00 -- TWiki-4.3.0.zip
   * TWikiRelease04x02x04 -- TWiki-4.2.4.zip
   * TWikiRelease04x02x03 -- TWiki-4.2.3.zip
   * TWikiRelease04x02x02 -- TWiki-4.2.2.zip
   * TWikiRelease04x02x01 -- TWiki-4.2.1.zip
   * TWikiRelease04x02x00 -- TWiki-4.2.0.zip
   * TWikiRelease04x01x02 -- TWiki-4.1.2.zip
   * TWikiRelease04x01x01 -- TWiki-4.1.1.zip
   * TWikiRelease04x01x00 -- TWiki-4.1.0.zip
   * TWikiRelease04x00x05 -- TWiki-4.0.5.zip
   * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
   * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
   * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
   * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
   * TWikiRelease04x00x00 -- TWiki-4.0.0.zip
   * and possibly older versions


---++ Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing  
HTTP GET requests towards the TWiki server (usually port 80/TCP).


---++ Impact

Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.


---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in  
TWikiSecurityAlertProcess [1] and assigned the following severity level:

   * Severity 3 issue: TWiki content or browser is compromised.


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name  
CVE-2011-1838 [7] to this vulnerability.


---++ Details

A malicious person can use specially crafted URL parameters to TWiki  
view and login scripts that execute arbitrary Javascript code in the  
browser. Examples:

Specially crafted urigurl parameter to the login script of TWiki:

GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/ 
style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E

GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E

TWiki decodes the URL parameterand pops up a Javascript alert box  
showing "924"

---++ Countermeasures

   * Apply hotfix (see patch below).
   * Upgrade to the latest patched production TWiki-5.0.2,
     TWikiRelease05x00x02 [2].
   * Use the web server software to restrict access to the web pages  
served
     by TWiki.


---++ Hotfix for TWiki Production Releases

It is recommended to upgrade to the latest TWiki version. If an  
immediate upgrade is not feasible you can apply this patch for  
Production Release TWiki-5.0.x, TWiki-4.3.x and TWiki-4.2.x. There is  
no hotfix for earlier TWiki releases; take the hotfix as a guideline  
(line numbers may vary). The patch sanitizes the origurl parameter.

---+++ Patch for TWiki-5.0.1, TWiki-5.0.0 and TWiki-4.3.x

Affected file: twiki/lib/TWiki/LoginManager/TemplateLogin.pm

Patch:
<verbatim>
--- TemplateLogin.pm.orig	2011-04-28 21:48:34.000000000 -0700
+++ TemplateLogin.pm	2011-05-01 17:15:10.000000000 -0700
@@ -139,6 +139,9 @@
      my $loginPass = $query->param( 'password' );
      my $remember  = $query->param( 'remember' );

+    # Item6673: Cleanup origurl parameter
+    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g;
+
      # Eat these so there's no risk of accidental passthrough
      $query->delete( 'origurl', 'username', 'password' );
</verbatim>

---+++ Patch for TWiki-4.2.x

Affected file: twiki/lib/TWiki/Client/TemplateLogin.pm

Patch:
<verbatim>
--- TemplateLogin.pm.save1	2007-03-03 06:45:57.000000000 -0800
+++ TemplateLogin.pm	2011-05-13 15:21:41.000000000 -0700
@@ -107,6 +107,9 @@
      my $loginName = $query->param( 'username' );
      my $loginPass = $query->param( 'password' );

+    # Item6673: Cleanup origurl parameter
+    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g;
+
      # Eat these so there's no risk of accidental passthrough
      $query->delete('origurl', 'username', 'password');
</verbatim>


---++ Authors and Credits

   * Credit to Mesut Timur (mesut[at]mavitunasecurity.com) for  
disclosing
     the issue to the twiki-security@lists.sourceforge.net mailing list.
   * TWiki:Main.GeorgeTrubisky for creating TWiki-5.0.2 patch release  
with
     a fix.
   * TWiki:Main.PeterThoeny for verifying the issue, creating a fix, and
     creating the patch and advisory.


---++ Action Plan with Timeline

   * 2011-05-03: Developer releases TWiki-5.0.2 with fix (George  
Trubisky)
   * 2011-05-15: Security team creates advisory with hotfix (Peter  
Thoeny)
   * 2011-05-16: Send alert to TWikiAnnounceMailingList [5] and
     TWikiDevMailingList [4] (Peter Thoeny)
   * 2011-05-18: Publish advisory in Codev web and update all related  
topics
     (Peter Thoeny)
   * 2011-05-18: Issue a public security advisory to
     full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com,
     bugs@securitytracker.com (Peter Thoeny)


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x00x02
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-2011-1838
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1838 -
      - CVE on MITRE.org
[8]: http://www.mavitunasecurity.com/xss-vulnerability-in-twiki/ -
      Mavituna Security


---++ Feedback

Please provide feedback at the security alert topic,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-1838

-- Main.PeterThoeny - 2011-05-18

--
   * Peter Thoeny, CTO - peter.thoeny.public[at]twiki.net
   * http://twiki.net  - Twiki, Inc. - Enterprise Agility
   * http://twiki.org  - is your team already TWiki enabled?
   * Knowledge cannot be managed, it can be discovered and shared
   * This e-mail is:   (_) private    (_) ask first    (x) public

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC