[VulnWatch] TWiki Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071)

From: Peter Thoeny (Peter@private)
Date: Thu Nov 30 2006 - 10:51:57 PST

This is a security advisory for TWiki installations:

Unauthorized users may view access restricted content
with a failed login. This applies only to TWiki
installations with sessions enabled using Apache 1.3,
not Apache 2.x.

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Hotfix
    * Authors and Credits
    * Action Plan with Timeline
    * Feedback
    * External Links

---++ Vulnerable Software Version

    * TWikiRelease04x00x05  -- TWiki-4.0.5.zip
    * TWikiRelease04x00x04  -- TWiki-4.0.4.zip
    * TWikiRelease04x00x03  -- TWiki-4.0.3.zip
    * TWikiRelease04x00x02  -- TWiki-4.0.2.zip
    * TWikiRelease04x00x01  -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00  -- TWiki-4.0.0.zip
    * TWikiRelease04Sep2004 -- TWiki20040904.zip (1)
    * TWikiRelease03Sep2004 -- TWiki20040903.zip (1)
    * TWikiRelease02Sep2004 -- TWiki20040902.zip (1)
    * TWikiRelease01Sep2004 -- TWiki20040901.zip (1)
      (1) - with SessionPlugin

---++ Attack Vectors

An unauthorized user can login by cancelling out of a
failed login.

---++ Impact

An unauthorized user is able to view content in access
restricted topics. Editing topics and attaching files
is not impacted.

---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as
documented in TWikiSecurityAlertProcess [3] and
assigned the following severity level:

    * Severity 3 issue: TWiki content or browser is

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-6071 [4] to this

---++ Details

Your site may be vulnerable if:

    1. If you have ErrorDocument 401 set to point to the
       TWikiRegistration topic (or any other TWiki topic),
    2. You are using !ApacheLogin with TWiki-4.0 and have
       sessions enabled, _or_ you are using an earlier
       TWiki version with SessionPlugin,
    3. You are running Apache 1.3

The exploit can be used to view pages protected by TWiki
permissions. It does not allow you to to gain write
access. You can verify if your site is vulnerable as

    1. Click the 'Login' link in the left bar
    2. Enter the login name of a valid user, but an
       incorrect password.
    3. Click "Ok"
    4. If apache re-prompts, enter the same username and
       password again
    5. Click "Cancel"

If your site is vulnerable you will be redirected to the
TWikiRegistration topic with the valid user apparently
logged in (the name appears in the left bar).

---++ Countermeasures

    * Restrict access to the TWiki installation.
    * Apply the hotfix indicated below.

NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix

---++ Hotfix

Delete the ErrorDocument line in the Apache configuration
(httpd.conf or .htaccess), *or* (preferred) change it to
point to a static HTML page. This page can safely contain
a link to the TWikiRegistration page. For example,

<title>Failed login</title>
Your login attempt failed.
<p />
Do you want to
<a href="/cgi-bin/view/TWiki/TWikiRegistration">register
in TWiki</a>?

(modify the href as appropriate for your site.)

---++ Authors and Credits

    * Credit to TWiki:Main.GeorgeClark for disclosing the
      issue to the twiki-security mailing list
    * TWiki:Main.CrawfordCurrie for researching issue and
      for creating recommended fix
    * TWiki:Main.PeterThoeny for creating the advisory

---++ Action Plan with Timeline

    * 2006-11-17: User discloses vulnerability to
    * 2006-11-21: Developer verifies issue
    * 2006-11-21: Developer creates hotfix
    * 2006-11-21: Security team creates advisory
    * 2006-11-29: Send alert to TWikiAnnounceMailingList
      and TWikiDevMailingList
    * 2006-11-30: Publish advisory in Codev web and update
      all related topics
    * 2006-11-30: Issue a public security advisory

---++ Feedback

Please provide feedback at the security alert topic [1],

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-6071
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6071

-- Contributors: Main.CrawfordCurrie, Main.PeterThoeny
- 30 Nov 2006

     * Peter Thoeny                       Peter@private
     * http://StructuredWikis.com - bringing wikis to the workplace
     * http://TWiki.org - is your team already TWiki enabled?
     * Knowledge cannot be managed, it can be discovered and shared
     * This e-mail is:   (_) private    (_) ask first    (x) public

This archive was generated by hypermail 2.1.3 : Sat Dec 02 2006 - 21:50:50 PST