This advisory alerts you of a potential security issue with your
TWiki installation: The TWiki history function allows arbitrary
shell command execution. The permanent place for this advisory is
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev .
Please see updates and follow-up on that topic.
If you do not use TWiki, please ignore this e-mail. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.
Table of Contents:
—++ Vulnerable Software Version
Not affected are:
—++ Attack Vectors
HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.
Possibly also HTTP POST, but this is untested.
—++ Impact
An attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.
—++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the
name CAN-2005-2877 to this vulnerability.
—++ Details
The TWiki revision control function uses a user supplied URL
parameter to compose a command line executed by the Perl backtick
(``) operator.
The URL parameter is not checked properly for shell metacharacters
and is thus vulnerable to revision numbers containing pipes and
shell commands. Exploit is possible on topics with two or more
revisions.
Example URL path with exploited rev parameter:
/cgi-bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd
If access to TWiki is not restricted by other means, attackers can
use the revision function without prior authentication.
See Also: SecurityAlertExecuteCommandsWithSearch9 and
UncoordinatedSecurityAlert23Feb20058
—++ Countermeasures
—++ Authors and Credits
—++ Hotfix
—+++ Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004
Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/lib/TWiki/UI/RDiff.pm=,
=twiki/lib/TWiki/UI/View.pm=, =twiki/lib/TWiki/UI/Viewfile.pm=
See also attached patch file TWiki200409-02-03.patch
— lib/TWiki/Store.pm.orig Thu Jul 22 01:43:40 2004
+++ lib/TWiki/Store.pm Thu Sep 8 21:30:44 2005
@@ -572,7 +572,9 @@
}
$theRev = "" unless( $theRev );
$topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
— lib/TWiki/UI/RDiff.pm.orig Sun Aug 8 01:28:45 2004
+++ lib/TWiki/UI/RDiff.pm Thu Sep 8 21:33:13 2005
@@ -409,6 +409,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
— lib/TWiki/UI/Viewfile.pm.orig Fri May 28 23:51:35 2004
+++ lib/TWiki/UI/Viewfile.pm Thu Sep 8 21:35:59 2005
@@ -43,6 +43,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
$rev =~ s/r?1\.//o; # cut 'r' and major
$rev = "" unless( $rev =~ s/.?([0-9]+)./$1/o );
return unless TWiki::UI::webExists( $webName, $topic );
—+++ Patch for TWiki Production Release 01-Feb-2003
Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/bin/rdiff=,
=twiki/bin/view=, =twiki/bin/viewfile=
— bin/rdiff.orig Sat Feb 1 00:57:32 2003
+++ bin/rdiff Thu Sep 8 23:18:05 2005
@@ -155,6 +155,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
$rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
— bin/view.orig Thu Jan 30 00:21:25 2003
+++ bin/view Thu Sep 8 23:13:47 2005
@@ -123,6 +123,8 @@
writeDebug( "maxrev = $maxrev" );
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
— bin/viewfile.orig Sun Jan 5 00:36:54 2003
+++ bin/viewfile Thu Sep 8 23:14:54 2005
@@ -63,6 +63,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
if( ( $rev ) && ( $rev ne $topRev ) ) {
—+++ Patch for TWiki Production Release 01-Dec-2001
Affected files: =twiki/bin/rdiff=, =twiki/bin/view=, =twiki/bin/viewfile=
— bin/rdiff.orig Tue Nov 13 18:59:02 2001
+++ bin/rdiff Thu Sep 8 23:51:50 2005
@@ -149,6 +149,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
$rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
— bin/view.orig Mon Dec 3 09:11:20 2001
+++ bin/view Thu Sep 8 23:52:57 2005
@@ -114,6 +114,8 @@
writeDebug( "maxrev = $maxrev" );
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
— bin/viewfile.orig Fri Oct 5 18:03:20 2001
+++ bin/viewfile Thu Sep 8 23:53:45 2005
@@ -62,6 +62,9 @@
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
if( ( $rev ) && ( $rev ne $topRev ) ) {
—+++ Patch for TWiki Production Release 01-Dec-2000
Affected files: =twiki/bin/rdiff=, =twiki/bin/view=
— bin/rdiff.orig Tue Nov 14 23:08:48 2000
+++ bin/rdiff Fri Sep 9 00:04:25 2005
@@ -139,6 +139,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/1\.//go; # cut major
$rev2 =~ s/1\.//go; # cut major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
$rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
— bin/view.orig Tue Nov 14 23:14:31 2000
+++ bin/view Fri Sep 9 00:05:10 2005
@@ -77,6 +77,8 @@
$maxrev =~ s/1\.//go; # cut major
if( $rev ) {
$rev =~ s/1\.//go; # cut major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
$text= &wiki::readVersion( $topic, "1.$rev" );
—++ TWiki News
Best regards,
Peter
–
— …/TWiki20040902/lib/TWiki/Store.pm 2004-07-22 10:43:40.000000000 +0200
+++ lib/TWiki/Store.pm 2005-09-09 06:30:44.000000000 +0200
@@ -572,7 +572,9 @@
}
$theRev = "" unless( $theRev );
$topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
— …/TWiki20040902/lib/TWiki/UI/RDiff.pm 2004-08-08
10:28:45.000000000 +0200
+++ lib/TWiki/UI/RDiff.pm 2005-09-09 06:33:13.000000000 +0200
@@ -409,6 +409,9 @@
if( ! $rev2 ) { $rev2 = 0; }
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
my $fileName = $query->param( 'filename' );
my $rev = $query->param( 'rev' ) || "";
return unless TWiki::UI::webExists( $webName, $topic );
— …/TWiki20040902/lib/TWiki/UI/View.pm 2004-08-25
08:36:15.000000000 +0200
+++ lib/TWiki/UI/View.pm 2005-09-09 06:34:52.000000000 +0200
@@ -107,6 +107,8 @@
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
$rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {-$wikiversion = '02 Sep 2004 $Rev: 1742 $';
+$wikiversion = '03 Sep 2004 $Rev: 1742 $';
-Version: 02 Sep 2004 $Rev: 1742 $
+Version: 03 Sep 2004 $Rev: 1742 $
Release type: Production release
This version is TWiki Release 01-Sep-2004 patched for
— …/TWiki20040902/TWikiDocumentation.html 2004-08-31
18:35:18.000000000 +0200
+++ TWikiDocumentation.html 2005-09-10 03:09:15.000000000 +0200
@@ -1,7 +1,7 @@
<html><head>
<title>TWikiDocumentation</title>
</head><body bgcolor="#ffffff">
-<h1><a name="TWiki_Reference_Manual_01_Sep_20"> </a><a
name="_TWiki_Reference_Manual_01_Sep_2"> </a> TWiki Reference Manual
(01 Sep 2004 $Rev: 1742 $) </h1>
+<h1><a name="TWiki_Reference_Manual_03_Sep_20"> </a><a
name="_TWiki_Reference_Manual_03_Sep_2"> </a> TWiki Reference Manual
(03 Sep 2004 $Rev: 1742 $) </h1>
<p />
<script type="text/javascript">
<!–
@@ -3816,7 +3816,7 @@
</li>
</ul>
<p />
-This version of TWiki - 01 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
+This version of TWiki - 03 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
<p />
<p />
<p />
@@ -4627,7 +4627,7 @@
<ul>
<li> Syntax: <code>%WIKIVERSION%</code>
</li>
-<li> Expands to: <code>01 Sep 2004 $Rev: 1742 $</code>
+<li> Expands to: <code>03 Sep 2004 $Rev: 1742 $</code>
</li>
<li> Related: <a class="twikiAnchorLink"
href="#VarPLUGINVERSION">PLUGINVERSION</a>, <a class="twikiAnchorLink"
href="#VarWIKITOOLNAME">WIKITOOLNAME</a>
</li>
@@ -9836,4 +9836,4 @@
</li>
</ul>
<p />
-</body></html>
\ No newline at end of file
+</body></html>