[FoRK] Fwd: TWiki Security Alert and TWiki Security E-mail List

Joseph S. Barrera III joe at barrera.org
Sun Nov 28 09:02:08 PST 2004


My twiki site was cracked a few days ago.
My ISP shut my account down (temporarily)
because they thought I personally was running a spam shop.

So for me, this warning came too late,
but hopefully it will be of some use to someone.

- Joe

-------- Original Message --------
Subject: 	TWiki Security Alert and TWiki Security E-mail List
Date: 	Sun, 28 Nov 2004 10:08:18 GMT
From: 	TWiki Security List <twiki-security at lists.sourceforge.net>
Reply-To: 	TWiki Announcement FeedBack
<twiki-announce-fbk at lists.sourceforge.net>
To: 	joe at barrera.org



Dear TWiki User,

We are emailing you about a high priority security vulnerability in
TWiki. Known TWiki site administrators have already been alerted, and
a public security advisory has been sent out. However, we did not reach
all administrators, and we now know that some public TWiki sites have
been cracked.

We are taking the unusual step of emailing a broader TWiki audience
to alert you and to announce an improved security alert process with a
mailing list. We will only be doing this once; all future security alerts
will be sent solely to those subscribed to the new opt-in mailing list.
You have recieved this mail because you:

   * are a registered user at TWiki.org, or
   * requested TWiki in the past and asked in the form to be
     notified of new releases, or
   * run a public TWiki site that Google could find

If you do not use TWiki, please ignore this email. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.

Even if you have fixed this vulnerability, you are strongly recommended
to join the new low-volume security announcement email list for TWiki
at http://lists.sourceforge.net/lists/listinfo/twiki-announce

Since this vulnerability is publicly announced and is being actively
exploited, you are encouraged to post this to email lists that you
think may be relevant.  The alert has been sent out on some general
security email lists already, but without the TWiki security email
list information.

Table of Contents:

   * Summary
   * Vulnerable Software Versions
   * Attack Vectors
   * Impact
   * Details
   * Countermeasures
   * What to do if You Think You May Have Been Cracked
   * TWiki Announce And Security Email List
   * New TWiki Release
   * Authors And Credits
   * How To Contact Us
   * Hotfix

---++ Summary

TWiki's search feature allows arbitrary shell command execution - a web
server running TWiki can be compromised remotely.


---++ Vulnerable Software Versions

   * TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip
   * TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip
   * TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip
   * TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip
   * Subversion repository linked from
     http://twiki.org/cgi-bin/view/Codev/SubversionReadme
     (up to and including revision 3224, fixed in revision 3225)
   * All alpha and beta releases prior to 12 Nov 2004

---++ Attack Vectors

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary. Possibly also HTTP POST,
but this is untested.


---++ Impact

A remote attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.


---++ Details

The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.

An example search string would be: "test_vulnerability '; ls -la'"

If access to TWiki is not restricted by other means, attackers can
use the search function without prior authentication.

More details can be found at
http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch


---++ Countermeasures

The main countermeasure is to apply the hotfix (see patches at end of
this e-mail).

Temporary countermeasures if hotfix cannot be applied immediately:

   * Filter access to the web server
   * Use the web server software to restrict access to the web pages
     served by TWiki
   * For sites accessible to search engines, use Google temporarily
     instead of normal searching, and remove execute permissions from
     the 'search' script. See details at
     http://twiki.org/cgi-bin/view/Codev/GoogleYourTWiki


---++ What to do if You Think You May Have Been Cracked

If your TWiki site is publicly accessible (on the Internet) there is
a risk that your site has been cracked. Visit

http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports 

to learn how other people detected intrisions and found cracking
attempts.

If your TWiki site was cracked and runs on Linux kernel 2.4, you should
also check for the installation of rootkits on your server - see
http://www.google.com/search?hl=en&q=rootkit+detect for some links,
e.g. http://www.chkrootkit.org/


---++ TWiki Announce And Security Email List

A new email list has been created to announce new TWiki releases and
to distribute security alerts quickly in the future. This low-volume
list is the best way to find out about and fix any future security
issues. It is highly recommended that TWiki site administrators sign
up to this now at http://lists.sourceforge.net/lists/listinfo/twiki-announce
- you can find more details at
http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList

In addition, a TWiki security team has been created - any new
vulnerability should be reported to this team, which will ensure the
vulnerability is analysed, fixed, and patches + new releases distributed
as quickly as possible.  Please see details at
http://twiki.org/cgi-bin/view/Codev/SecurityTeam

Our security alert process is documented at
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess


---++ New TWiki Release

The latest TWiki Production Release 02-Sep-2004, aka CairoRelease,
is available for download. It is a major release replacing version
01-Feb-2003 and is proof against this security hole. You can download
the new release from http://TWiki.org/download.html - however, you
can of course just patch your current release if you prefer.

Major changes since TWiki 01-Feb-2003 release:

   * Automatic upgrade script, and easier first-time installation
   * Attractive new skins, using a standard set of CSS classes, and
     a skin browser to help you choose
   * New easier-to-use save options
   * Many improvements to SEARCH
   * Improved support for internationalisation
   * Better topic management screens
   * More pre-installed Plugins: CommentPlugin, EditTablePlugin,
     RenderListPlugin, SlideShowPlugin, SmiliesPlugin,
     SpreadSheetPlugin, TablePlugin
   * Improved Plugins API and more Plugin callbacks
   * Better support for different authentication methods
   * Many user interface and usability improvements
   * And many, many more enhancements


---++ Authors And Credits

Martin Cleaver, Crawford Currie, Richard Donkin, Sven Dowideit, Markus
Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Colas Nahaboo, Hans
Ulrich Niedermann, Andreas Thienemann, Peter Thoeny and Florian Weimer
all contributed to this advisory.


---++ How To Contact Us

Please do not reply to this e-mail. Please contact:

   * TWiki Announcement FeedBack 
<twiki-announce-fbk at lists.sourceforge.net> or
   Peter.Thoeny at attglobal.net if you have questions or concerns 
regarding this
   announcement
   * 
http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
   for feedback on this vulnerability
   * twiki-security at lists.sourceforge.net if you discovered a vulnerability
   * http://twiki.org/cgi-bin/view/Support if you have support questions
   * http://twiki.org/cgi-bin/view/Codev to get involved in the community
   * irc://irc.freenode.net/twiki for realtime communication with fellow
     TWiki users and administrators. Details at
     http://twiki.org/cgi-bin/view/Codev/TWikiIRC

Best regards,

TWiki Security Team

---++ Hotfix

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004:
----------------------------------------------------------------------------

*** TWiki20040901/Search.pm  2004-11-12 11:54:47.000000000 -0800
--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
***************
*** 434,439 ****
--- 434,446 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) 
and $(
... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003:
----------------------------------------------------------------------------

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) 
and $(
... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001:
----------------------------------------------------------------------------

*** TWiki20011201/Search.pm     2004-11-12 12:15:55.000000000 -0800
--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
***************
*** 133,138 ****
--- 133,145 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) 
and $(
... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

--------------------------------------------------------------------------
Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000:
--------------------------------------------------------------------------

*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
--- ./wikisearch.pm     2004-11-12 12:23:07.000000000 -0800
***************
*** 117,122 ****
--- 117,129 ----

      my $tempVal = "";
      my $tmpl = "";
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) 
and $(
... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      if( $doBookView ) {
          $tmpl = readTemplate( "searchbookview" );
      } else {

------------------------------------------------------------------------
End patches
------------------------------------------------------------------------







More information about the FoRK mailing list