SecurityTracker: TWiki Image Tag Processing Bug Permits Cross-Site Request Forgery Attacks

This is a security advisory for TWiki installations:

A remote user may gain TWiki admin privileges with a specially crafted image tag.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Comprehensive Hotfix for TWiki Production Release 4.2.x and 4.3.0
   * Minimal Hotfix for TWiki Production Releases
   * Implications for TWiki Content and TWiki Applications
   * Authors and Credits
   * Action Plan with Timeline
   * Feedback
   * External Links


---++ Vulnerable Software Version

   * TWikiRelease04x03x00 -- TWiki-4.3.0.zip
   * TWikiRelease04x02x04 -- TWiki-4.2.4.zip
   * TWikiRelease04x02x03 -- TWiki-4.2.3.zip
   * TWikiRelease04x02x02 -- TWiki-4.2.2.zip
   * TWikiRelease04x02x01 -- TWiki-4.2.1.zip
   * TWikiRelease04x02x00 -- TWiki-4.2.0.zip
   * TWikiRelease04x01x02 -- TWiki-4.1.2.zip
   * TWikiRelease04x01x01 -- TWiki-4.1.1.zip
   * TWikiRelease04x01x00 -- TWiki-4.1.0.zip
   * TWikiRelease04x00x05 -- TWiki-4.0.5.zip
   * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
   * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
   * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
   * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
   * TWikiRelease04x00x00 -- TWiki-4.0.0.zip
   * and older versions


---++ Attack Vectors

Attack can be done by editing wiki pages and by issuing HTTP GET
requests towards the TWiki server (usually port 80/TCP). Typically,
prior authentication is necessary (including anonymous TWikiGuest
accounts). The vulnerability exists because TWiki allows HTTP GET to
save pages, which opens up CSRF (Cross-site request forgery) attacks.


---++ Impact

An image tag can be crafted that, when viewed, updates pages with the
attackers content in TWiki as the viewing user, including members of
the TWikiAdminGroup. This can be used to gain administrator privileges,
change access permissions and do other things.


---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess [1] and assigned the following severity level:

   * Severity 2 issue: The TWiki installation is compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name
CVE-2009-1339 to this vulnerability,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1339


---++ Details

When a malicious user embeds an img tag in a TWiki page that points
to a TWiki script (such as save script) instead of an image URL, the
script is executed each time a user looks at that TWiki page as the
user viewing the page.

Example:

1. Edit a page and add this image tag:

<img alt="" src="%SCRIPTURLPATH{save}%/Sandbox/TestTopic?text=Did+I+really+update+this+page!" />

2. Ask another user to view the page with this image tag. The
Sandbox.TestTopic page is now updated by that user with text "Did I
really update this page!".


---++ Countermeasures

   * Apply comprehensive hotfix or minimal hotfix (see patch below).
   * Upgrade to the latest patched production TWiki-4.3.1,
     TWikiRelease04x03x01 [2] (to be released around 2009-04-30)
   * Use the web server software to restrict access to the web pages
     served by TWiki.


---++ Comprehensive Hotfix for TWiki Production Release 4.2.x and 4.3.0

It is recommended to upgrade to the latest TWiki-4.3.1, which will be
made available in the next few days. In the mean time we provide a
comprehensive hotfix for TWiki-4.2.x and 4.3.0 only, containing all
patched files to fix this CSRF vulnerability. The patch prevents any
content update via HTTP GET. The following scripts are protected:
manage (critical actions only), register, rename, rest (critical
actions only), save, upload.

Affected files:

   * twiki/lib/TWiki/Plugins/EditTablePlugin.pm
   * twiki/lib/TWiki/Plugins/EditTablePlugin/Core.pm
   * twiki/lib/TWiki/Plugins/PreferencesPlugin.pm
   * twiki/lib/TWiki/Plugins/WysiwygPlugin.pm
   * twiki/lib/TWiki/UI.pm
   * twiki/lib/TWiki/UI/Manage.pm
   * twiki/lib/TWiki/UI/Register.pm
   * twiki/lib/TWiki/UI/Save.pm
   * twiki/lib/TWiki/UI/Upload.pm
   * twiki/templates/messages.tmpl
   * twiki/templates/oopsmore.tmpl
   * twiki/templates/registerconfirm.tmpl

Download comprehensive hotfix for TWiki-4.2.x and 4.3.0 from:
http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-hotfix-cve-2009-1339.zip

Equivalent patch-diff is at
http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-diff-cve-2009-1339.txt

Backup the twiki/lib and twiki/templates directories before applying
the hotfix. To apply the hotfix, unpack the zip file over your twiki
root directory on the TWiki server. Fix file ownership to match
existing files.


---++ Minimal Hotfix for TWiki Production Releases

It is recommended to upgrade to the latest TWiki version, or to apply
the comprehensive hotfix above. If an immediate upgrade is not feasible
you can apply this minimal patch for TWiki Production Release 4.2.x and
4.3.0. There is no hotfix for older releases; take the minimal hotfix
as a guideline (line numbers may vary).

The minimal hotfix protects your TWiki installation with an Apache
configuration setting instead of scripts protecting themselves as in
the comprehensive fix.

Known issue of the minimal hotfix: A save operation after login may
fail the first time when template-login is used.

Affected files:

   * /etc/httpd/conf.d/twiki.conf (location of Apache configuration
     file may vary)
   * twiki/templates/messages.tmpl
   * twiki/templates/oopsmore.tmpl
   * twiki/templates/registerconfirm.tmpl

1. Patch /etc/httpd/conf.d/twiki.conf:

Within the <Directory "/var/www/twiki/bin"> directive, protect the
save, register and upload script to require POST method by adding the
following directives just above the <FilesMatch "^(configure).*$">
directive:

--8<------8<------8<------8<------8<------8<------8<------8<--
# protect against cross-site request forgery
<FilesMatch "^(save|register|upload).*">
<LimitExcept POST>
   Deny From all
</LimitExcept>
</FilesMatch>
--8<------8<------8<------8<------8<------8<------8<------8<--

Don't forget to restart your browser. If you have a working .htaccess
file in the twiki/bin directory, make the changes there instead.

2. Patch twiki/templates/messages.tmpl:

--8<------8<------8<------8<------8<------8<------8<------8<--
--- messages.tmpl.save
+++ messages.tmpl
@@ -193,10 +193,10 @@

 %MAKETEXT{"Your activation code has been sent to [_1].  Either click on the link in your e-mail or enter the code in the box below to activate your membership. (This code is of the form \"YourName.xxxxxxxxxx\")" args="%PARAM1%"}%

-<form action="%SCRIPTURLPATH{"register"}%">
+<form action="%SCRIPTURLPATH{"register"}%" method="post">
<input type="hidden" name="action" value="verify" size="20" />
-<input type="text" name="code" size="20" />
-<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Submit"}% ' />
+<input type="text" name="code" value="%URLPARAM{ "code" encode="entity" }%" size="20" />
+<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Confirm registration"}% ' />
 </form>
--8<------8<------8<------8<------8<------8<------8<------8<--

3. Patch twiki/templates/oopsmore.tmpl:

--8<------8<------8<------8<------8<------8<------8<------8<--
--- oopsmore.tmpl.save
+++ oopsmore.tmpl
@@ -45,7 +45,8 @@

%TMPL:DEF{"setparent"}%#SetParent
---++ %MAKETEXT{"Set new topic parent"}%
-<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?action_save=1">
+<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
+<input type='hidden' name='action_save' value='1' />
 <div class="twikiFormSteps">
 <div class="twikiFormStep">
 ---++!! %MAKETEXT{"Current parent:"}% %IF{"'NONE%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="$parent" }%'='NONE'" then="(none)" else='%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="[

Go to the Top of This SecurityTracker Archive Page