[TWiki-Dev] Security Alert: TWiki INCLUDE function allows DoS Attack on Itself

[Peter T. <pe...@th...>]

---+ TWiki INCLUDE function allows DoS Attack on Itself

This advisory alerts you of a potential security issue with your
TWiki installation: The TWiki INCLUDE function allows anyone with
edit rights to launch a DoS (denial of service) attack on the
TWiki server.

Important Notes:

    * This advisory will be posted at
      Codev.SecurityAdvisoryDosAttackWithInclude [1]. Please do not
      create that topic until publicly announced.
    * Please fix your TWiki as soon as possible; a public advisory
      will be done in a few hours. Please do not announce publicly
      until officially announced.
    * TWiki 4.0.2 will be released in a few days. It contains a fix
      for this vulnerability

TOC:

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Authors and Credits
    * Workaround for all TWiki Versions
    * Hotfix
    * Action Plan with Timeline
    * External Links
    * Discussions


---++ Vulnerable Software Version

    * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00 -- TWiki-4.0.0.zip
    * TWikiRelease04Sep2004 -- TWiki20040904.zip
    * TWikiRelease03Sep2004 -- TWiki20040903.zip
    * TWikiRelease02Sep2004 -- TWiki20040902.zip
    * TWikiRelease01Sep2004 -- TWiki20040901.zip
    * TWikiRelease01Feb2003 -- TWiki20030201.zip
    * TWikiRelease01Dec2001 -- TWiki20011201.zip
    * TWikiRelease01Sep2001 -- TWiki20010901.zip


---++ Attack Vectors

Editing a wiki page and adding an INCLUDE directive. Typically,
prior authentication is necessary (including anonymous
TWikiGuest accounts).


---++ Impact

An attacker is able to bring down a server within a few minutes
with a DoS attack. All memory is consumed, typically requiring
a reboot of the server machine.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented in
TWikiSecurityAlertProcess [3] and assigned the following severity
level:

    * Severity 2 issue: The TWiki installation is compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-1387 to this vulnerability.


---++ Details

Anyone with editing rights can add an INCLUDE by URL to a wiki
page that starts an infinite recursion. This can happen if the
wiki page includes itself by URL, or if the wiki page includes
another page (on the same site or another site) that includes
the originating wiki page by URL.

For example, a user can create a BombSite topic in the Sandbox
web and add this to the content:

%INCLUDE{"http://wiki.example.com/cgi-bin/view/Sandbox/BombSite"}%

Not affected is an include by wiki page name instead of URL.
TWiki already protects against recursive includes if the
included topics are referenced by topic name, e.g. the
following self-include is guarded against:

%INCLUDE{"%TOPIC%"}%


---++ Countermeasures

    * Prevent recursive include:
       * All TWiki versions: Apply workaround described below
    * Disable include by URL: (recommended for public TWiki sites)
       * Apply hotfix described below
       * Upgrade to TWiki 4.0.2 (to be released in a few days)
         - the configure script has a new {INCLUDE}{AllowURLs}
           flag that is turned off by default
    * Filter access to the web server
    * Use the web server software to restrict access to the web pages
      served by TWiki


---++ Authors and Credits

    * Credit to Kenneth Lavrsen for disclosing the issue
      to the twi...@li... mailing list and
      for providing the workaround
    * Crawford Currie for providing a fix in TWiki 4.0.2
    * Peter Thoeny for contributing to the advisory


---++ Workaround for all TWiki Versions

TWiki does not identify itself as a browser when including a URL.
This fact can be used to deny TWiki to access TWiki pages by URL,
thus preventing the infinite recursion.

In Apache's http.conf set an anonymous_spider environment variable
if the browser identification is empty. In the Directory setting
of TWiki's bin directiry, deny anonymous_spider from accessing
content. Example:

BrowserMatchNoCase ^$ anonymous_spider

<Directory "/var/www/twiki/bin">
     AllowOverride All
     Options ExecCGI
     Order Allow,Deny
     Allow from all
     Deny from env=anonymous_spider
</Directory>

Note: In case there is a Files sections with "allow from all"
in the Directory section, it needs to be removed because it would
overrule the Deny setting. Example Files section to remove:

    <Files "*">
        allow from all
    </Files>


---++ Hotfix

This hotfix disables includes by URL. This is recommended for public
TWiki sites even though it reduces the functionality of TWiki.

---+++ Hotfix for TWiki 4.0.0 and TWiki 4.0.1

In file twiki/lib/TWiki.pm, find sub _includeUrl. Add a return at
the very beginning as indicated below:

# Fetch content from a URL for inclusion by an INCLUDE
sub _includeUrl {
     my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_;

     # Fix for Codev.SecurityAdvisoryDosAttackWithInclude
     return "%RED% Include of URL is disabled %ENDCOLOR%";

     my $text = '';
     my $host = '';
     my $port = 80;
     my $path = '';
     my $user = '';
     my $pass = '';


---+++ Hotfix for earlier TWiki Releases

Apply above mentioned fix to sub handleIncludeUrl located in
file twiki/lib/TWiki.pm


---++ Action Plan with Timeline

| *Action* |
   | *Date/ Deadline* | *Status* | *Who* |
| Developer discloses issue to TWikiSecurityMailingList
   | 2006-03-22 | Done |.KennethLavrsen |
| Security team verifies issue |
   | 2006-03-23 | Done | CrawfordCurrie, PeterThoeny |
| Developer creates a fix for TWiki 4.0 |
   | 2006-03-23 | Done |.CrawfordCurrie |
| Developer proposes workaround |
   | 2006-03-23 | Done | KennethLavrsen |
| Security team verifies workaround |
   | 2006-03-24 | Done | PeterThoeny |
| Developer creates a hotfix for TWiki 4.0 |
   | 2006-03-24 | Done | PeterThoeny |
| Send alert to TWikiAnnounceMailingList and TWikiDevMailingList |
   | 2006-03-24 | Pending | PeterThoeny |
| Publish advisory in Codev web and update all related topics |
   | 2006-03-24 | Pending | PeterThoeny |
| Issue a public security advisory
   | 2006-03-24 | Pending | PeterThoeny |

__Note:__ A silent alert was not done because the
vulnerability was already made public in TWikiIRC on 2006-03-22



---++ External Links

    * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1387


-- Contributors: KennethLavrsen, PeterThoeny, CrawfordCurrie
  - 24 Mar 2006


[1]: 
http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude
Important Note: Please do not create above topic until publicly
announced
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess


-- 
    * Peter Thoeny                           Peter@Thoeny.org
    * Is your team already TWiki enabled?    http://TWiki.org
    * This e-mail is:  (x) public  (_) ask first  (_) private