From: Peter T. <pe...@th...> - 2006-03-25 01:51:57
|
---+ TWiki INCLUDE function allows DoS Attack on Itself This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows anyone with edit rights to launch a DoS (denial of service) attack on the TWiki server. Important Notes: * This advisory will be posted at Codev.SecurityAdvisoryDosAttackWithInclude [1]. Please do not create that topic until publicly announced. * Please fix your TWiki as soon as possible; a public advisory will be done in a few hours. Please do not announce publicly until officially announced. * TWiki 4.0.2 will be released in a few days. It contains a fix for this vulnerability TOC: * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Authors and Credits * Workaround for all TWiki Versions * Hotfix * Action Plan with Timeline * External Links * Discussions ---++ Vulnerable Software Version * TWikiRelease04x00x01 -- TWiki-4.0.1.zip * TWikiRelease04x00x00 -- TWiki-4.0.0.zip * TWikiRelease04Sep2004 -- TWiki20040904.zip * TWikiRelease03Sep2004 -- TWiki20040903.zip * TWikiRelease02Sep2004 -- TWiki20040902.zip * TWikiRelease01Sep2004 -- TWiki20040901.zip * TWikiRelease01Feb2003 -- TWiki20030201.zip * TWikiRelease01Dec2001 -- TWiki20011201.zip * TWikiRelease01Sep2001 -- TWiki20010901.zip ---++ Attack Vectors Editing a wiki page and adding an INCLUDE directive. Typically, prior authentication is necessary (including anonymous TWikiGuest accounts). ---++ Impact An attacker is able to bring down a server within a few minutes with a DoS attack. All memory is consumed, typically requiring a reboot of the server machine. ---++ Severity Level The TWiki SecurityTeam [2] triaged this issue as documented in TWikiSecurityAlertProcess [3] and assigned the following severity level: * Severity 2 issue: The TWiki installation is compromised ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-1387 to this vulnerability. ---++ Details Anyone with editing rights can add an INCLUDE by URL to a wiki page that starts an infinite recursion. This can happen if the wiki page includes itself by URL, or if the wiki page includes another page (on the same site or another site) that includes the originating wiki page by URL. For example, a user can create a BombSite topic in the Sandbox web and add this to the content: %INCLUDE{"http://wiki.example.com/cgi-bin/view/Sandbox/BombSite"}% Not affected is an include by wiki page name instead of URL. TWiki already protects against recursive includes if the included topics are referenced by topic name, e.g. the following self-include is guarded against: %INCLUDE{"%TOPIC%"}% ---++ Countermeasures * Prevent recursive include: * All TWiki versions: Apply workaround described below * Disable include by URL: (recommended for public TWiki sites) * Apply hotfix described below * Upgrade to TWiki 4.0.2 (to be released in a few days) - the configure script has a new {INCLUDE}{AllowURLs} flag that is turned off by default * Filter access to the web server * Use the web server software to restrict access to the web pages served by TWiki ---++ Authors and Credits * Credit to Kenneth Lavrsen for disclosing the issue to the twi...@li... mailing list and for providing the workaround * Crawford Currie for providing a fix in TWiki 4.0.2 * Peter Thoeny for contributing to the advisory ---++ Workaround for all TWiki Versions TWiki does not identify itself as a browser when including a URL. This fact can be used to deny TWiki to access TWiki pages by URL, thus preventing the infinite recursion. In Apache's http.conf set an anonymous_spider environment variable if the browser identification is empty. In the Directory setting of TWiki's bin directiry, deny anonymous_spider from accessing content. Example: BrowserMatchNoCase ^$ anonymous_spider <Directory "/var/www/twiki/bin"> AllowOverride All Options ExecCGI Order Allow,Deny Allow from all Deny from env=anonymous_spider </Directory> Note: In case there is a Files sections with "allow from all" in the Directory section, it needs to be removed because it would overrule the Deny setting. Example Files section to remove: <Files "*"> allow from all </Files> ---++ Hotfix This hotfix disables includes by URL. This is recommended for public TWiki sites even though it reduces the functionality of TWiki. ---+++ Hotfix for TWiki 4.0.0 and TWiki 4.0.1 In file twiki/lib/TWiki.pm, find sub _includeUrl. Add a return at the very beginning as indicated below: # Fetch content from a URL for inclusion by an INCLUDE sub _includeUrl { my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_; # Fix for Codev.SecurityAdvisoryDosAttackWithInclude return "%RED% Include of URL is disabled %ENDCOLOR%"; my $text = ''; my $host = ''; my $port = 80; my $path = ''; my $user = ''; my $pass = ''; ---+++ Hotfix for earlier TWiki Releases Apply above mentioned fix to sub handleIncludeUrl located in file twiki/lib/TWiki.pm ---++ Action Plan with Timeline | *Action* | | *Date/ Deadline* | *Status* | *Who* | | Developer discloses issue to TWikiSecurityMailingList | 2006-03-22 | Done |.KennethLavrsen | | Security team verifies issue | | 2006-03-23 | Done | CrawfordCurrie, PeterThoeny | | Developer creates a fix for TWiki 4.0 | | 2006-03-23 | Done |.CrawfordCurrie | | Developer proposes workaround | | 2006-03-23 | Done | KennethLavrsen | | Security team verifies workaround | | 2006-03-24 | Done | PeterThoeny | | Developer creates a hotfix for TWiki 4.0 | | 2006-03-24 | Done | PeterThoeny | | Send alert to TWikiAnnounceMailingList and TWikiDevMailingList | | 2006-03-24 | Pending | PeterThoeny | | Publish advisory in Codev web and update all related topics | | 2006-03-24 | Pending | PeterThoeny | | Issue a public security advisory | 2006-03-24 | Pending | PeterThoeny | __Note:__ A silent alert was not done because the vulnerability was already made public in TWikiIRC on 2006-03-22 ---++ External Links * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1387 -- Contributors: KennethLavrsen, PeterThoeny, CrawfordCurrie - 24 Mar 2006 [1]: http://twiki.org/cgi-bin/view/Codev/SecurityAdvisoryDosAttackWithInclude Important Note: Please do not create above topic until publicly announced [2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam [3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess -- * Peter Thoeny Peter@Thoeny.org * Is your team already TWiki enabled? http://TWiki.org * This e-mail is: (x) public (_) ask first (_) private |