This is a security advisory for TWiki installations:
Unauthorized users may view arbitrary files of the server
file system with the viewfile script.
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links
---++ Vulnerable Software Version
* TWikiRelease04x00x04 -- TWiki-4.0.4.zip
* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
---++ Attack Vectors
Supply a specially crafted HTTP POST request on the TWiki
viewfile script.
---++ Impact
An intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.
---++ Severity Level
The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:
* Severity 1 issue: The web server can be compromised
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.
---++ Details
All TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the
browser.
---++ Countermeasures
* Restrict access to the TWiki installation.
* Apply the hotfix indicated below.
NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix
---++ Hotfix
The accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the View.pm module, fixing the known
vulnerability. Hotfix 3 will be available at
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03 in
a few days.
If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/View.pm
file:
Index: View.pm
===========================================================
--- View.pm (revision 11339)
+++ View.pm (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};
my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;
my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );
---++ Authors and Credits
* Credit to TWiki:Main.MinsungChoi and
TWiki:Main.KoenMartens for disclosing the issue to
the twiki-security mailing list
* TWiki:Main.CrawfordCurrie for creating a fix
* TWiki:Main.KennethLavrsen for creating Hotfix 3 for
TWiki release 4.0.4
* TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
for creating the advisory
---++ Action Plan with Timeline
* 2006-08-20 and 08-28: User discloses vulnerability to
twiki-security
* 2006-08-22: Developer verifies issue
* 2006-08-22: Developer creates fix
* 2006-08-31: Security team creates advisory
* 2006-09-05: Send alert to twiki-announce mailing list
and twiki-dev mailing list
* 2006-09-06: Developer creates Hotfix 3
* 2006-09-07: Publish advisory on TWiki.org
* 2006-09-07: Issue a public security advisory
---++ Feedback
Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
---++ External Links
[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04
[6]: http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03
-- Contributors: Peter Thoeny, Crawford Currie,
Kenneth Lavrsen - 07 Sep 2006
--
* Peter Thoeny Peter@private
* http://StructuredWikis.com - bringing wikis to the workplace
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (_) ask first (x) public
This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 09:34:28 PDT