From: TWiki a. - r. s. a. n. \(l. volume\) <twi...@li...> - 2009-04-28 00:22:17
|
Dear TWiki administrator, This is an addendum to the internal advisory sent out earlier today. It contains important information if your user base is creating TWiki applications. You can ignore it if not. ---++ Implications for TWiki Content and TWiki Applications This fix makes TWiki more secure, but you need to be aware of some implications in regards to TWiki applications. Because it is no longer possible to use HTTP GET to save or update page content, you must specify method="post" in HTML forms pointing to the save script, and you can no longer use HTML links or TWiki links that point to the save script. It is recommended to search and fix your TWiki content for HTML forms, HTML links and TWiki links that point to the save script. 1. Fix HTML Forms Pointing to the Save Script: HTML forms must specify method="post", or users won't be able to save content. Example: <form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post"> ..... </form> 2. Fix HTML Links and TWiki Links Pointing to the Save Script: HTML links and TWiki links pointing to the save script no longer work. You must convert them into an HTML form. Example: Link that updates a TWiki form field called "Reviewed". No longer working TWiki link format: [[%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed=%SERVERTIME{$year- $mo-$day}%][Reviewed today!]] Equivalent non-functional HTML link format: <a href="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed= %SERVERTIME{$year-$mo-$day}%"> Reviewed today!</a> Change these links to this HTML form: <form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post"> <input type="hidden" name="Reviewed" value="%SERVERTIME{$year-$mo- $day}%" /> <input type="submit" class="twikiSubmit" value="Reviewed today!" /> </form> Regards, Peter Begin forwarded message: > From: Peter Thoeny <pet...@tw...> > Date: April 27, 2009 12:41:32 PM PDT > To: TWiki-Announce <twi...@li...>, TWiki-Dev > for developers <twi...@li...> > Cc: TWiki security <twi...@li...> > Subject: TWiki Security Alert CVE-2009-1339: CSRF Vulnerability with > Image Tag > > Dear TWiki administrator, > > This advisory alerts you of a security issue with your TWiki > installation: A remote user may gain TWiki admin privileges with a > specially crafted image tag. > > IMPORTANT: Please do not publicly announce until 2009-04-29, but feel > free to forward this message to fellow TWiki administrators. We will > issue a public advisory on Wed, 2009-04-29. > > * Vulnerable Software Version > * Attack Vectors > * Impact > * Severity Level > * MITRE Name for this Vulnerability > * Details > * Countermeasures > * Comprehensive Hotfix for TWiki Production Release 4.2.x and 4.3.0 > * Minimal Hotfix for TWiki Production Releases > * Authors and Credits > * Action Plan with Timeline > * Feedback > * External Links > > > ---++ Vulnerable Software Version > > * TWikiRelease04x03x00 -- TWiki-4.3.0.zip > * TWikiRelease04x02x04 -- TWiki-4.2.4.zip > * TWikiRelease04x02x03 -- TWiki-4.2.3.zip > * TWikiRelease04x02x02 -- TWiki-4.2.2.zip > * TWikiRelease04x02x01 -- TWiki-4.2.1.zip > * TWikiRelease04x02x00 -- TWiki-4.2.0.zip > * TWikiRelease04x01x02 -- TWiki-4.1.2.zip > * TWikiRelease04x01x01 -- TWiki-4.1.1.zip > * TWikiRelease04x01x00 -- TWiki-4.1.0.zip > * TWikiRelease04x00x05 -- TWiki-4.0.5.zip > * TWikiRelease04x00x04 -- TWiki-4.0.4.zip > * TWikiRelease04x00x03 -- TWiki-4.0.3.zip > * TWikiRelease04x00x02 -- TWiki-4.0.2.zip > * TWikiRelease04x00x01 -- TWiki-4.0.1.zip > * TWikiRelease04x00x00 -- TWiki-4.0.0.zip > * and older versions > > > ---++ Attack Vectors > > Attack can be done by editing wiki pages and by issuing HTTP GET > requests towards the TWiki server (usually port 80/TCP). Typically, > prior authentication is necessary (including anonymous TWikiGuest > accounts). The vulnerability exists because TWiki allows HTTP GET to > save pages, which opens up CSRF (Cross-site request forgery) attacks. > > > ---++ Impact > > An image tag can be crafted that, when viewed, updates pages with the > attackers content in TWiki as the viewing user, including members of > the TWikiAdminGroup. This can be used to gain administrator > privileges, > change access permissions and do other things. > > > ---++ Severity Level > > The TWiki SecurityTeam triaged this issue as documented in > TWikiSecurityAlertProcess [1] and assigned the following severity > level: > > * Severity 2 issue: The TWiki installation is compromised > > > ---++ MITRE Name for this Vulnerability > > The Common Vulnerabilities and Exposures project has assigned the name > CVE-2009-1339 to this vulnerability, > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1339 > > > ---++ Details > > When a malicious user embeds an img tag in a TWiki page that points > to a TWiki script (such as save script) instead of an image URL, the > script is executed each time a user looks at that TWiki page as the > user viewing the page. > > Example: > > 1. Edit a page and add this image tag: > > <img alt="" src="%SCRIPTURLPATH{save}%/Sandbox/TestTopic?text=Did+I > +really+update+this+page!" /> > > 2. Ask another user to view the page with this image tag. The > Sandbox.TestTopic page is now updated by that user with text "Did I > really update this page!". > > > ---++ Countermeasures > > * Apply comprehensive hotfix or minimal hotfix (see patch below). > * Upgrade to the latest patched production TWiki-4.3.1, > TWikiRelease04x03x01 [2] (to be released around 2009-04-30) > * Use the web server software to restrict access to the web pages > served by TWiki. > > > ---++ Comprehensive Hotfix for TWiki Production Release 4.2.x and > 4.3.0 > > It is recommended to upgrade to the latest TWiki-4.3.1, which will be > made available in the next few days. In the mean time we provide a > comprehensive hotfix for TWiki-4.2.x and 4.3.0 only, containing all > patched files to fix this CSRF vulnerability. The patch prevents any > content update via HTTP GET. The following scripts are protected: > manage (critical actions only), register, rename, rest (critical > actions only), save, upload. > > Affected files: > > * twiki/lib/TWiki/Plugins/EditTablePlugin.pm > * twiki/lib/TWiki/Plugins/EditTablePlugin/Core.pm > * twiki/lib/TWiki/Plugins/PreferencesPlugin.pm > * twiki/lib/TWiki/Plugins/WysiwygPlugin.pm > * twiki/lib/TWiki/UI.pm > * twiki/lib/TWiki/UI/Manage.pm > * twiki/lib/TWiki/UI/Register.pm > * twiki/lib/TWiki/UI/Save.pm > * twiki/lib/TWiki/UI/Upload.pm > * twiki/templates/messages.tmpl > * twiki/templates/oopsmore.tmpl > * twiki/templates/registerconfirm.tmpl > > Download comprehensive hotfix for TWiki-4.2.x and 4.3.0 from: > http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-hotfix-cve-2009-1339.zip > > Backup the twiki/lib and twiki/templates directories before applying > the hotfix. To apply the hotfix, unpack the zip file over your twiki > root directory on the TWiki server. Fix file ownership to match > existing files. > > > ---++ Minimal Hotfix for TWiki Production Releases > > It is recommended to upgrade to the latest TWiki version, or to apply > the comprehensive hotfix above. If an immediate upgrade is not > feasible > you can apply this minimal patch for TWiki Production Release 4.2.x > and > 4.3.0. There is no hotfix for older releases; take the minimal hotfix > as a guideline (line numbers may vary). > > The minimal hotfix protects your TWiki installation with an Apache > configuration setting instead of scripts protecting themselves as in > the comprehensive fix. > > Known issue of the minimal hotfix: A save operation after login may > fail the first time when template-login is used. > > Affected files: > > * /etc/httpd/conf.d/twiki.conf (location of Apache configuration > file may vary) > * twiki/templates/messages.tmpl > * twiki/templates/oopsmore.tmpl > * twiki/templates/registerconfirm.tmpl > > 1. Patch /etc/httpd/conf.d/twiki.conf: > > Within the <Directory "/var/www/twiki/bin"> directive, protect the > save, register and upload script to require POST method by adding the > following directives just above the <FilesMatch "^(configure).*$"> > directive: > > --8<------8<------8<------8<------8<------8<------8<------8<-- > # protect against cross-site request forgery > <FilesMatch "^(save|register|upload).*"> > <LimitExcept POST> > Deny From all > </LimitExcept> > </FilesMatch> > --8<------8<------8<------8<------8<------8<------8<------8<-- > > Don't forget to restart your browser. If you have a working .htaccess > file in the twiki/bin directory, make the changes there instead. > > 2. Patch twiki/templates/messages.tmpl: > > --8<------8<------8<------8<------8<------8<------8<------8<-- > --- messages.tmpl.save > +++ messages.tmpl > @@ -193,10 +193,10 @@ > > %MAKETEXT{"Your activation code has been sent to [_1]. Either click > on the link in your e-mail or enter the code in the box below to > activate your membership. (This code is of the form > \"YourName.xxxxxxxxxx\")" args="%PARAM1%"}% > > -<form action="%SCRIPTURLPATH{"register"}%"> > +<form action="%SCRIPTURLPATH{"register"}%" method="post"> > <input type="hidden" name="action" value="verify" size="20" /> > -<input type="text" name="code" size="20" /> > -<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Submit"} > % ' /> > +<input type="text" name="code" value="%URLPARAM{ "code" > encode="entity" }%" size="20" /> > +<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Confirm > registration"}% ' /> > </form> > --8<------8<------8<------8<------8<------8<------8<------8<-- > > 3. Patch twiki/templates/oopsmore.tmpl: > > --8<------8<------8<------8<------8<------8<------8<------8<-- > --- oopsmore.tmpl.save > +++ oopsmore.tmpl > @@ -45,7 +45,8 @@ > > %TMPL:DEF{"setparent"}%#SetParent > ---++ %MAKETEXT{"Set new topic parent"}% > -<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%? > action_save=1"> > +<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" > method="post"> > +<input type='hidden' name='action_save' value='1' /> > <div class="twikiFormSteps"> > <div class="twikiFormStep"> > ---++!! %MAKETEXT{"Current parent:"}% %IF{"'NONE%SEARCH{ "^%TOPIC%$" > scope="topic" regex="on" nosearch="on" nototal="on" > format="$parent" }%'='NONE'" then="(none)" else='%SEARCH{ "^%TOPIC% > $" scope="topic" regex="on" nosearch="on" nototal="on" > format="[[$web.$parent][$parent]]" }%' }% > --8<------8<------8<------8<------8<------8<------8<------8<-- > > 4. Patch twiki/templates/registerconfirm.tmpl: > > In twiki/templates/registerconfirm.tmpl, replace the link to the > register script: > > %SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE% > > With this link: > > %SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%? > template=oopsattention;def=confirm; > code=%VERIFICATIONCODE%;param1=%EMAILADDRESS% > > NOTE: Newlines added above for clarity; all three lines need to be > merged into one. Patch for twiki/templates/registerconfirm.tmpl: > > --8<------8<------8<------8<------8<------8<------8<------8<-- > --- registerconfirm.tmpl.save > +++ registerconfirm.tmpl > @@ -8,7 +8,7 @@ > > %MAKETEXT{"Thank you for registering in the [_1] collaboration > platform. Your verification code is [_2]." args="%WIKITOOLNAME%, > %VERIFICATIONCODE%"}% > > -%MAKETEXT{"You now need to verify your e-mail address. You can do > so by entering [_1] in the form presented to you when this e-mail > was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', > %SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE%"}% > +%MAKETEXT{"You now need to verify your e-mail address. You can do > so by entering [_1] in the form presented to you when this e-mail > was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', > %SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%? > template=oopsattention;def=confirm;code=%VERIFICATIONCODE%;param1= > %EMAILADDRESS%"}% > > %MAKETEXT{"Note:"}% > %MAKETEXT{"If you got this e-mail by mistake: Somebody ([_1], [_5]) > registered at the [_2] site using your mail address [_3]. Contact > [_4] if this is in error." args="%FIRSTLASTNAME%, %WIKITOOLNAME%, > %EMAILADDRESS%, %WIKIWEBMASTER%, %REMOTE_ADDR%"}% > --8<------8<------8<------8<------8<------8<------8<------8<-- > > > ---++ Authors and Credits > > * Credit to TWiki:Main/SteveMilner and Richard Monk of Red Hat > Infosec team for verifying the issue, for running tests and > scenarios with the exploit, and for disclosing the issue to the > twi...@li... mailing list [4]. > * TWiki:Main/PeterThoeny, TWiki:Main/SopanShewale for verifying > the issue. > * TWiki:Main/PeterThoeny, TWiki:Main/SopanShewale for contributing > to the fix, patch and advisory. > > > ---++ Action Plan with Timeline > > * 2008-04-15: User discloses issue to Codev.TWikiSecurityMailingList > [4] (Steve 'Ashcrow' Milner) > * 2009-04-16: Developer verifies issue (Peter Thoeny) > * 2009-04-17 to 26: Developers fix code (Peter Thoeny, Sopan > Shewale) > * 2009-04-26: Security team creates advisory with hotfix (Peter > Thoeny) > * 2009-04-27: Send alert to TWikiAnnounceMailingList [5] and > TWikiDevMailingList [6] (Peter Thoeny) > * 2009-04-29: Publish advisory in Codev web and update all related > topics (Peter Thoeny) > * 2009-04-29: Issue a public security advisory to > ful...@li..., vu...@se..., ce...@ce..., > bu...@se..., vul...@vu... (Peter Thoeny) > > > ---++ Feedback > > Please provide feedback at the security alert topic, > http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305 > (this topic will be created on Wed, 2009-04-29) > > Reply to this e-mail if you have any questions before Wednesday. > > > ---++ External Links > > [1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess > [2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x03x01 > (released around 2009-04-30) > [3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2009-1339 > (created on 2009-04-29) > [4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList > [5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList > [6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList > [7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1339 - > CVE on MITRE.org > > > -- Main.PeterThoeny - 2009-04-27 -- * Peter Thoeny, CTO - peter.thoeny.public[at]twiki.net * http://twiki.net - TWIKI.NET - Enterprise Collaboration * http://twiki.org - is your team already TWiki enabled? * Knowledge cannot be managed, it can be discovered and shared * This e-mail is: (_) private (x) ask first (_) public |