September 2005
TWiki - TWiki INCLUDE function allows arbitrary shell command execution
ID: 00847
Ref: 790/05
Date: 28 September 2005:14:53:26
Version: 1
Title: TWiki - TWiki INCLUDE function allows arbitrary shell command execution
Abstract: The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision
Vendors affected: Twiki
Operating systems affected: Twiki
Applications affected: Twiki
Title
=====
TWiki - TWiki INCLUDE function allows arbitrary shell command execution
Detail
======
UNIRAS COMMENT - Please note that the patches discussed in this advisory are not
attached to this briefing, but are available from the first URL below.
This advisory alerts you of a potential security issue with your
TWiki installation: The TWiki INCLUDE function allows arbitrary
shell command execution. The permanent place for this advisory is
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
where you can see updates and follow-ups.
If you do not use TWiki, please ignore this e-mail. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.
Please see also unrelated security audit on visible lib directories,
http://twiki.org/cgi-bin/view/Codev/SecurityAuditOnVisibleLibDir
Table of Contents:
* Vulnerable Software Version
* Attack Vectors
* Impact
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Authors and Credits
* Hotfix
* Patch for TWiki Production Release 03-Sep-2004
* Patch for TWiki Production Release 02-Sep-2004
* Patch for TWiki Production Release 01-Feb-2003
* TWiki News
- ---++ Vulnerable Software Version
* TWikiRelease03Sep2004[2] -- TWiki20040903.zip
* TWikiRelease02Sep2004[3] -- TWiki20040902.zip
* TWikiRelease01Sep2004[4] -- TWiki20040901.zip
* TWikiRelease01Feb2003[5] -- TWiki20030201.zip
Not affected are:
* Recent DakarReleases[6] (upcoming production release, soon)
* TWikiRelease01Sep2004 patched with Florian Weimer's
UncoordinatedSecurityAlert23Feb2005[7]
- ---++ Attack Vectors
Editing wiki pages and HTTP GET requests towards the Wiki server
(typically port 80/TCP). Typically, prior authentication is
necessary (including anonymous TWikiGuest accounts).
- ---++ Impact
An attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.
- ---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the
name CAN-2005-3056 to this vulnerability.
- ---++ Details
The TWiki INCLUDE function enables a malicious user to compose a
command line executed by the Perl backtick (``) operator.
The rev parameter of the INCLUDE variable is not checked properly
for shell metacharacters and is thus vulnerable to revision
numbers containing pipes and shell commands. The exploit is
possible on included topics with two or more revisions.
Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%
The same vulnerability is exposed to all Plugins and add-ons that
use TWiki::Func::readTopicText[8] function to read a previous topic
revision. This has been tested on TWiki:Plugins.RevCommentPlugin[9]
and TWiki:Plugins.CompareRevisionsAddon[10].
If access to TWiki is not restricted by other means, attackers can
use the revision function with or without prior authentication,
depending on the configuration.
See Also:
* IncludePreviousTopicRevision[11]
* SecurityAlertExecuteCommandsWithRev[12]
* SecurityAlertExecuteCommandsWithSearch[13]
* UncoordinatedSecurityAlert23Feb2005[7]
- ---++ Countermeasures
* Apply hotfix (see patches below)
* NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix
* Upgrade to the latest patched production TWikiRelease04Sep2004[1]
* NOTE: If you are running an *unmodified*
TWikiRelease01Sep2004[4], TWikiRelease02Sep2004[3] or
TWikiRelease03Sep2004[2], simply copy the following patched
files from TWikiRelease04Sep2004 to your installation:
lib/TWiki.pm, lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm,
lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm
* Apply patch of UncoordinatedSecurityAlert23Feb2005[7] (but see
known issues of that patch)
* Filter access to the web server
* Use the web server software to restrict access to the web pages
served by TWiki
- ---++ Authors and Credits
* Credit to TWiki:Main.JChristophFuchs (jcf@ipp.mpg.de) and
TWiki:Main.JoseLuna (luna@aditel.org) for disclosing the issue
to the twiki-security@lists.sourceforge.net mailing list
* TWiki:Main.JoseLuna for contributing a more robust patch to
recent SecurityAlertExecuteCommandsWithRev[12] issue (included
in this patch)
* TWiki:Main.PeterThoeny, TWiki:Main.JoseLuna,
TWiki:Main.CrawfordCurrie for contributing to the advisory and
the patch
- ---++ Hotfix
- ---+++ Patch for TWiki Production Release 03-Sep-2004
Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm,
lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm,
lib/TWiki/UI/Viewfile.pm
See attached patch file TWiki200409-03-04patch.txt
- ---+++ Patch for TWiki Production Release 02-Sep-2004
Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm,
lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm,
lib/TWiki/UI/Viewfile.pm
See attached patch file TWiki200409-02-04patch.txt
- ---+++ Patch for TWiki Production Release 01-Feb-2003
__Note:__ This assumes that the release is already patched with
SecurityAlertExecuteCommandsWithRev[12] fix.
Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff,
twiki/bin/view, twiki/bin/viewfil=
See attached patch file TWiki200302-01-04patch.txt
- ---++ TWiki News
* A new TWiki release is upcoming soon, code named DakarRelease[6]
* To customize your TWiki installation, TWiki.org offers now
177 Plugin packages[14], 56 Add-on packages[15], 30 Skin
packages[16], and 11 TWiki contrib packages [17]
* Codev.TWikiSecurityAlertProcess[18] documents our security
process
* Wikis and TWiki get covered more my the press[19]
* TWiki is represented at the International Symposium on Wikis[20]
in San Diego, 17-18 Oct 2005
* A new book on Wikis in the Workplace is in work[21]
Best regards,
Peter
[1]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04Sep2004
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease03Sep2004
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease02Sep2004
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[6]: http://twiki.org/cgi-bin/view/Codev/DakarReleases
[7]: http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005
[8]: http://twiki.org/cgi-bin/view/TWiki/TWikiFuncModule
[9]: http://twiki.org/cgi-bin/view/Plugins/RevCommentPlugin
[10]: http://twiki.org/cgi-bin/view/Plugins/CompareRevisionsAddon
[11]: http://twiki.org/cgi-bin/view/Codev/IncludePreviousTopicRevision
[12]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
[13]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
[14]: http://twiki.org/cgi-bin/view/Plugins/PluginPackage
[15]: http://twiki.org/cgi-bin/view/Plugins/AddOnPackage
[16]: http://twiki.org/cgi-bin/view/Plugins/SkinPackage
[17]: http://twiki.org/cgi-bin/view/Plugins/ContribPackage
[18]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[19]: http://twiki.org/cgi-bin/view/Codev/TWikiInTheNews
[20]: http://twiki.org/cgi-bin/view/Codev/InternationalSymposiumOnWikis
[21]: http://twiki.org/cgi-bin/view/Codev/WikisInTheWorkplaceBook