[TWiki-Announce] TWiki Security Alert: Arbitrary Code Execution in Configure Script (CVE-2008-3195)

[TWiki a. - r. s. a. n. \(l. volume\) <twi...@li...>]

Dear TWiki administrator,

This advisory alerts you of a potential security issue with your
TWiki installation: Remote attackers are able to execute arbitrary
commands on the TWiki server in case the configure script is not
access restricted -- please read the details below to find out if
you are vulnerable.

NOTE: An uncoordinated public announcement (not following our
security alert process) has been done already, e.g. it is advisable
to check your installation as soon as possible.

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Hotfix for TWiki 4.x
    * Hotfix for older TWiki versions
    * Authors and Credits
    * Action Plan with Timeline
    * Feedback
    * External Links


---++ Vulnerable Software Version

    * TWikiRelease04x01x00  -- TWiki-4.2.2.zip
    * TWikiRelease04x01x00  -- TWiki-4.2.1.zip
    * TWikiRelease04x01x00  -- TWiki-4.2.0.zip
    * TWikiRelease04x01x00  -- TWiki-4.1.2.zip
    * TWikiRelease04x01x00  -- TWiki-4.1.1.zip
    * TWikiRelease04x01x00  -- TWiki-4.1.0.zip
    * TWikiRelease04x00x05  -- TWiki-4.0.5.zip
    * TWikiRelease04x00x04  -- TWiki-4.0.4.zip
    * TWikiRelease04x00x03  -- TWiki-4.0.3.zip
    * TWikiRelease04x00x02  -- TWiki-4.0.2.zip
    * TWikiRelease04x00x01  -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00  -- TWiki-4.0.0.zip


---++ Attack Vectors

To exploit the bug, you just need set the "image" variable to the
path of file you wish to view. The file will be revealed if the
webserver has permission to view it.

For example, to show the "/etc/passwd" file content, go to:
http://www.examplo.org/twiki/bin/configure?
action=image;image=../../../../../../etc/passwd;type=text/plain


---++ Impact

Under the assumption that an intruder has access to the configure
script, it is possible to view and execute files with the
privileges of the web server process, such as user nobody.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented in
TWikiSecurityAlertProcess [3] and assigned the following severity
level:

    * Severity 1 issue: The web server can be compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the
name CVE-2008-3195 [4] to this vulnerability.


---++ Details

Your site may be vulnerable if:

    1. You run one of the vulnerable TWiki versions, and
    2. you have not secured your configure script as per the
       TWiki.TWikiInstallationGuide [6]


---++ Countermeasures

    * Restrict access to the configure script (recommended)
    * Upgrade to TWikiRelease04x02x03 -- TWiki-4.2.3.zip (recommended)
    * Apply a hotfix indicated below.


---++ Hotfix for TWiki 4.x

The exploit is in the =configure= script and so can be resolved by
replacing the file in you twiki/bin directory with the configure
script attached to the TWikiRelease04x02x03 [7] topic.

---++ Hotfix for older TWiki versions

Countermeasures
    * Secure your configure as per section 8 of
      TWiki.TWikiInstallationGuide [6]
    * upgrade to TWikiRelease04x02x03 [7]
    * apply the appropriate hotfix attached to
      SecurityAlert-CVE-2008-3195 [1] :
       * The hotfix for TWiki 4.0.x configure script - copy over
         the existing script in your twiki/bin dir.
       * The hotfix for TWiki 4.1.x configure script - copy over
         the existing script in your twiki/bin dir.
       * The hotfix for TWiki 4.2.x configure script - copy over
         the existing script in your twiki/bin dir.


---++ Authors and Credits

    * Credit to Sven, Vicki, David, Michael for disclosing the
      issue to the twiki-security mailing list
    * Colas, Crawford, Sven for creating the hotfix
    * Sven for creating the uncoordinated advisory


---++ Action Plan with Timeline

    * 2008-08-05 (severity 3 bug), 2008-09-03 (for severity 1
      variation) : User discloses vulnerability to twiki-security
    * 2008-08-05 to 2008-09-11: Developer verifies issue
    * 2008-09-12: Developer fixes code and creates hotfix
    * 2008-09-12: Security team creates advisory
    * 2008-09-20: Send alert to TWikiAnnounceMailingList and
      TWikiDevMailingList
    * 2008-09-12: Publish advisory in Codev web and update all
      related topics
    * 2008-09-20: Issue a public security advisory


---++ Feedback

Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3195
[5]: http://twiki.org/cgi-bin/view/Codev/DownloadTWiki
[6]: http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide
[7]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03

-- __Contributors:__ Main.SvenDowideit


-- 
   * Peter Thoeny, CTO - pet...@tw...
   * http://twiki.net  - TWIKI.NET - the Enterprise Wiki
   * http://twiki.org  - is your team already TWiki enabled?
   * Knowledge cannot be managed, it can be discovered and shared
   * This e-mail is:   (_) private    (_) ask first    (x) public