From: TWiki a. - r. s. a. n. \(l. volume\) <twi...@li...> - 2008-09-21 01:26:35
|
Dear TWiki administrator, This advisory alerts you of a potential security issue with your TWiki installation: Remote attackers are able to execute arbitrary commands on the TWiki server in case the configure script is not access restricted -- please read the details below to find out if you are vulnerable. NOTE: An uncoordinated public announcement (not following our security alert process) has been done already, e.g. it is advisable to check your installation as soon as possible. * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Hotfix for TWiki 4.x * Hotfix for older TWiki versions * Authors and Credits * Action Plan with Timeline * Feedback * External Links ---++ Vulnerable Software Version * TWikiRelease04x01x00 -- TWiki-4.2.2.zip * TWikiRelease04x01x00 -- TWiki-4.2.1.zip * TWikiRelease04x01x00 -- TWiki-4.2.0.zip * TWikiRelease04x01x00 -- TWiki-4.1.2.zip * TWikiRelease04x01x00 -- TWiki-4.1.1.zip * TWikiRelease04x01x00 -- TWiki-4.1.0.zip * TWikiRelease04x00x05 -- TWiki-4.0.5.zip * TWikiRelease04x00x04 -- TWiki-4.0.4.zip * TWikiRelease04x00x03 -- TWiki-4.0.3.zip * TWikiRelease04x00x02 -- TWiki-4.0.2.zip * TWikiRelease04x00x01 -- TWiki-4.0.1.zip * TWikiRelease04x00x00 -- TWiki-4.0.0.zip ---++ Attack Vectors To exploit the bug, you just need set the "image" variable to the path of file you wish to view. The file will be revealed if the webserver has permission to view it. For example, to show the "/etc/passwd" file content, go to: http://www.examplo.org/twiki/bin/configure? action=image;image=../../../../../../etc/passwd;type=text/plain ---++ Impact Under the assumption that an intruder has access to the configure script, it is possible to view and execute files with the privileges of the web server process, such as user nobody. ---++ Severity Level The TWiki SecurityTeam [2] triaged this issue as documented in TWikiSecurityAlertProcess [3] and assigned the following severity level: * Severity 1 issue: The web server can be compromised ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-3195 [4] to this vulnerability. ---++ Details Your site may be vulnerable if: 1. You run one of the vulnerable TWiki versions, and 2. you have not secured your configure script as per the TWiki.TWikiInstallationGuide [6] ---++ Countermeasures * Restrict access to the configure script (recommended) * Upgrade to TWikiRelease04x02x03 -- TWiki-4.2.3.zip (recommended) * Apply a hotfix indicated below. ---++ Hotfix for TWiki 4.x The exploit is in the =configure= script and so can be resolved by replacing the file in you twiki/bin directory with the configure script attached to the TWikiRelease04x02x03 [7] topic. ---++ Hotfix for older TWiki versions Countermeasures * Secure your configure as per section 8 of TWiki.TWikiInstallationGuide [6] * upgrade to TWikiRelease04x02x03 [7] * apply the appropriate hotfix attached to SecurityAlert-CVE-2008-3195 [1] : * The hotfix for TWiki 4.0.x configure script - copy over the existing script in your twiki/bin dir. * The hotfix for TWiki 4.1.x configure script - copy over the existing script in your twiki/bin dir. * The hotfix for TWiki 4.2.x configure script - copy over the existing script in your twiki/bin dir. ---++ Authors and Credits * Credit to Sven, Vicki, David, Michael for disclosing the issue to the twiki-security mailing list * Colas, Crawford, Sven for creating the hotfix * Sven for creating the uncoordinated advisory ---++ Action Plan with Timeline * 2008-08-05 (severity 3 bug), 2008-09-03 (for severity 1 variation) : User discloses vulnerability to twiki-security * 2008-08-05 to 2008-09-11: Developer verifies issue * 2008-09-12: Developer fixes code and creates hotfix * 2008-09-12: Security team creates advisory * 2008-09-20: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList * 2008-09-12: Publish advisory in Codev web and update all related topics * 2008-09-20: Issue a public security advisory ---++ Feedback Please provide feedback at the security alert topic [1], http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195 ---++ External Links [1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195 [2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam [3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess [4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3195 [5]: http://twiki.org/cgi-bin/view/Codev/DownloadTWiki [6]: http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide [7]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03 -- __Contributors:__ Main.SvenDowideit -- * Peter Thoeny, CTO - pet...@tw... * http://twiki.net - TWIKI.NET - the Enterprise Wiki * http://twiki.org - is your team already TWiki enabled? * Knowledge cannot be managed, it can be discovered and shared * This e-mail is: (_) private (_) ask first (x) public |