TWiki Input Validation Flaw in 'viewfile' Script Lets Remote Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1016805
|
|
SecurityTracker URL: http://securitytracker.com/id?1016805
|
|
CVE Reference: CVE-2006-4294
(Links to External Site)
|
Date: Sep 7 2006
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.0.0 - 4.0.4
|
Description: A vulnerability was reported in TWiki. A remote user can view files on the target system.
The viewfile script does not properly validate user-supplied input in the 'filename' parameter. A remote user can supply a specially
crafted HTTP POST request to view arbitrary files on target system with the privileges of the web service.
A demonstration exploit
URL is provided:
http://[target]/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
TWiki:Main.MinsungChoi
and TWiki:Main.KoenMartens reported this vulnerability to the vendor.
|
Impact: A remote user can view files on the target system with the privileges of the target web service.
|
Solution: The vendor plans to issue Hotfix 3 for TWiki-4.0.4, to be available at:
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03
The TWiki advisory is available at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
|
Vendor URL: twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Peter Thoeny <Peter@StructuredWikis.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 07 Sep 2006 08:30:10 -0700
From: Peter Thoeny <Peter@StructuredWikis.com>
Subject: TWiki Security Alert: Viewfile script allows view of arbitrary files
|
This is a security advisory for TWiki installations:
Unauthorized users may view arbitrary files of the server
file system with the viewfile script.
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links
---++ Vulnerable Software Version
* TWikiRelease04x00x04 -- TWiki-4.0.4.zip
* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
---++ Attack Vectors
Supply a specially crafted HTTP POST request on the TWiki
viewfile script.
---++ Impact
An intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.
---++ Severity Level
The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:
* Severity 1 issue: The web server can be compromised
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.
---++ Details
All TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the
browser.
---++ Countermeasures
* Restrict access to the TWiki installation.
* Apply the hotfix indicated below.
NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix
---++ Hotfix
The accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the View.pm module, fixing the known
vulnerability. Hotfix 3 will be available at
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03 in
a few days.
If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/View.pm
file:
Index: View.pm
===========================================================
--- View.pm (revision 11339)
+++ View.pm (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};
my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;
my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );
---++ Authors and Credits
* Credit to TWiki:Main.MinsungChoi and
TWiki:Main.KoenMartens for disclosing the issue to
the twiki-security mailing list
* TWiki:Main.CrawfordCurrie for creating a fix
* TWiki:Main.KennethLavrsen for creating Hotfix 3 for
TWiki release 4.0.4
* TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
for creating the advisory
---++ Action Plan with Timeline
* 2006-08-20 and 08-28: User discloses vulnerability to
twiki-security
* 2006-08-22: Developer verifies issue
* 2006-08-22: Developer creates fix
* 2006-08-31: Security team creates advisory
* 2006-09-05: Send alert to twiki-announce mailing list
and twiki-dev mailing list
* 2006-09-06: Developer creates Hotfix 3
* 2006-09-07: Publish advisory on TWiki.org
* 2006-09-07: Issue a public security advisory
---++ Feedback
Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
---++ External Links
[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04
[6]: http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03
-- Contributors: Peter Thoeny, Crawford Currie,
Kenneth Lavrsen - 07 Sep 2006
--
* Peter Thoeny Peter@StructuredWikis.com
* http://StructuredWikis.com - bringing wikis to the workplace
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (_) ask first (x) public
|
|
