Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TWiki Input Validation Flaw in %URLPARAM{}% Parameter Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1021351
|
|
SecurityTracker URL: http://securitytracker.com/id?1021351
|
|
CVE Reference: CVE-2008-5304
(Links to External Site)
|
Date: Dec 5 2008
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 4.2.4
|
Description: A vulnerability was reported in TWiki. A remote user can conduct cross-site scripting attacks.
The software does not properly filter HTML code from user-supplied input in the TWiki %URLPARAM{}% parameter before displaying the
input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code
to be executed by the target user's browser. The code will originate from the site running the TWiki software and will run in the
security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
Marc Schoenefeld and TWiki:Main.SteveMilner of Red Hat Security Response Team
reported this vulnerability.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
TWiki software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
|
Solution: The vendor has issued a fixed version (4.2.4).
A hotfix is also available for versions 4.2.x.
The vendor's advisory is available at:
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304
|
Vendor URL: twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Peter Thoeny <peter.thoeny.public@twiki.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 5 Dec 2008 11:27:51 -0800
From: Peter Thoeny <peter.thoeny.public@twiki.net>
Subject: TWiki Security Alert CVE-2008-5304: Cross-site scripting vulnerability with TWiki URLPARAM variable
|
This is a security advisory for TWiki installations:
The %URLPARAM{}% TWiki variable may expose a cross-site scripting
(XSS) vulnerability. The TWiki.org advisory is at http://twiki.org/cgi-bin/view/Codev/SecurityAlert-C
VE-2008-5304
(See also unrelated TWiki Security Alert CVE-2008-5305 - TWiki SEARCH
variable allows arbitrary shell command execution.)
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Authors and Credits
* Hotfix for TWiki Production Release 4.2.x
* Fixing older TWiki Releases
* Feedback
* External Links
---++ Vulnerable Software Version
* TWikiRelease04x02x03 -- TWiki-4.2.3.zip
* TWikiRelease04x02x02 -- TWiki-4.2.2.zip
* TWikiRelease04x02x01 -- TWiki-4.2.1.zip
* TWikiRelease04x02x00 -- TWiki-4.2.0.zip
* TWikiRelease04x01x02 -- TWiki-4.1.2.zip
* TWikiRelease04x01x01 -- TWiki-4.1.1.zip
* TWikiRelease04x01x00 -- TWiki-4.1.0.zip
* TWikiRelease04x00x05 -- TWiki-4.0.5.zip
* TWikiRelease04x00x04 -- TWiki-4.0.4.zip
* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
* and older versions
---++ Attack Vectors
Editing wiki pages and HTTP GET requests towards the wiki server
(typically port 80/TCP). Typically, prior authentication is necessary
(including anonymous TWikiGuest accounts).
---++ Impact
An unauthenticated remote attacker could exploit an XSS attack on a
TWiki site.
---++ Severity Level
The TWiki SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
* Severity 3 issue: TWiki content or browser is compromised
__Note:__ Severity 3 issues are usually handled as bugs without an
advisory, but this time an advisory is issued to raise the awareness
on possible XSS attacks.
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2008-5304 to this vulnerability, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5304
---++ Details
The %URLPARAM{}% TWiki variable is a powerful command to create
dynamic wiki content and wiki applications. If a URLPARAM is not
properly encoded it may be open to XSS attacks. http://en.wikipedia.org/wiki/Cross-site_scripting
has details on XSS.
Specifically, the XSS vulnerability exists if the URLPARAM is used
inside an HTML form field value without adding proper encoding. Example:
<input type="text" name="city" value="%URLPARAM{ "city" }%"
/>
The attacker could construct a 'city' URL parameter with a double
quote to close the input value="" attribute, followed by additional
attributes.
Example 1:
* Go to http://example.com/twiki/view/TWiki/WebSearch?search=%27a%20onmouseover=alert(document.co
okie)%20%27
* Move your mouse over the 'Advanced search' link about half way
down the page.
* You should see a javascript popup that wasn't there before.
Example 2:
* Go to http://example.com/twiki/view/TWiki/ResetPassword?
username="<script language=Javascript>alert('3y3 0wn j00 TWIKI')</
script>
* You should see a javascript popup that wasn't there before.
To avoid XSS attacks, a URLPARAM inside a HTML form field value needs
to be entity encoded. This will escape special characters, so that
content will be displayed verbatim in the input field. Example of
properly encoding a URLPARAM in an input field value:
<input type="text" name="city" value="%URLPARAM{ "city"
encode="entity" }%" />
The TWiki distributions contains a number of pages that have non-
encoded URLPARAMs in HTML input fields. Those pages need to be fixed
to avoid XSS attacks.
One might think that URLPARAM should always be encoded. This is not a
viable option since it would introduce an incompatible spec change
that would break many dynamic reports and TWiki applications.
The responsibility relies with the users to monitor and/or lock down
wiki content to counter XSS exploits. Study http://twiki.org/cgi-bin/view/TWiki/VarURLPARAM
on proper use of URLPARAM.
---++ Countermeasures
* Apply hotfix (see patch below).
* Upgrade to the latest patched production TWiki-4.2.4
(TWikiRelease04x02x04 to be released shortly).
* Use the web server software to restrict access to the web pages
served by TWiki.
* Search your wiki content for %URLPARAM and encode them where
needed.
---++ Authors and Credits
* Credit to Marc Schoenefeld and TWiki:Main.SteveMilner of Red Hat
Security Response Team for disclosing the issue to the twiki-security@lists.sourceforge.net
mailing list, and for providing a proposed fix.
* TWiki:Main.PeterThoeny, TWiki:SopanShewale for contributing to
the fix, patch and advisory.
---++ Hotfix for TWiki Production Release 4.2.x
*Affected files:*
* twiki/data/TWiki/ChangePassword.txt
* twiki/data/TWiki/ChangePassword.txt,v
* twiki/data/TWiki/FormattedSearch.txt
* twiki/data/TWiki/FormattedSearch.txt,v
* twiki/data/TWiki/ResetPassword.txt
* twiki/data/TWiki/ResetPassword.txt,v
* twiki/data/TWiki/VarURLPARAM.txt
* twiki/data/TWiki/VarURLPARAM.txt,v
* twiki/data/TWiki/WebAtomBase.txt
* twiki/data/TWiki/WebAtomBase.txt,v
* twiki/data/TWiki/WebCreateNewTopicTemplate.txt
* twiki/data/TWiki/WebCreateNewTopicTemplate.txt,v
* twiki/data/TWiki/WebRssBase.txt
* twiki/data/TWiki/WebRssBase.txt,v
* twiki/data/TWiki/WebSearchAdvanced.txt
* twiki/data/TWiki/WebSearchAdvanced.txt,v
* twiki/data/TWiki/WebSearch.txt
* twiki/data/TWiki/WebSearch.txt,v
*Hotfix:* Unzip SecurityAlert-CVE-2008-5304-hotfix.zip file attached
to http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304
into your TWiki directory, preserving the directory structure. All
files should go into the twiki/data/TWiki directory.
---++ Fixing older TWiki Releases
There is no hotfix for older releases. Upgrade to the latest TWiki
version, or search your wiki content for %URLPARAM and encode them
where needed.
---++ Feedback
Please provide feedback at the security alert page on twiki.org,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304
---++ External Links
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304 - CVE
on twiki.org
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5304 - CVE on
MITRE.org
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess -
security alert process
http://twiki.org/cgi-bin/view/Codev/DownloadTWiki - download latest
TWiki release
-- Contributors: Marc Schoenefeld, Steve Milner, Sopan Shewale, Peter
Thoeny - 05 Dec 2008
--
* Peter Thoeny, CTO - peter.thoeny.public@twiki.net
* http://twiki.net - TWIKI.NET - the Enterprise Wiki
* http://twiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (_) ask first (x) public
|
|
Go to the Top of This SecurityTracker Archive Page
|
