Security Alert: TWiki INCLUDE function allows DoS Attack on Itself (CVE-2006-1387)

Please join the twiki-announce list:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows anyone with edit rights to launch a DoS (denial of service) attack on the TWiki server.

Vulnerable Software Version

• TWikiRelease04x00x01 -- TWiki-4.0.1.zip
• TWikiRelease04x00x00 -- TWiki-4.0.0.zip
• TWikiRelease04Sep2004 -- TWiki20040904.zip
• TWikiRelease03Sep2004 -- TWiki20040903.zip
• TWikiRelease02Sep2004 -- TWiki20040902.zip
• TWikiRelease01Sep2004 -- TWiki20040901.zip
• TWikiRelease01Feb2003 -- TWiki20030201.zip
• TWikiRelease01Dec2001 -- TWiki20011201.zip
• TWikiRelease01Sep2001 -- TWiki20010901.zip

Attack Vectors

Editing a wiki page and adding an INCLUDE directive. Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).

Impact

An attacker is able to bring down a server within a few minutes with a DoS attack. All memory is consumed, typically requiring a reboot of the server machine.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

• Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-1387 to this vulnerability.

Details

Anyone with editing rights can add an INCLUDE by URL to a wiki page that starts an infinite recursion. This can happen if the wiki page includes itself by URL, or if the wiki page includes another page (on the same site or another site) that includes the originating wiki page by URL.

For example, a user can create a BombSite topic in the Sandbox web and add this to the content:

%INCLUDE{"http://wiki.example.com/cgi-bin/view/Sandbox/BombSite"}%

Not affected is an include by wiki page name instead of URL. TWiki already protects against recursive includes if the included topics are referenced by topic name, e.g. the following self-include is guarded against:

%INCLUDE{"SecurityAdvisoryDosAttackWithInclude"}%

Countermeasures

• Prevent recursive include:
  • All TWiki versions: Apply workaround described below
• Disable include by URL: (recommended for public TWiki sites)
  • Apply hotfix described below
  • Upgrade to TWiki 4.0.2 (to be released in a few days) - the configure script has a new {INCLUDE}{AllowURLs} flag that is turned off by default
• Filter access to the web server
• Use the web server software to restrict access to the web pages served by TWiki

Authors and Credits

• Credit to TWiki:Main.KennethLavrsen for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list and for providing the workaround
• TWiki:Main.CrawfordCurrie for providing a fix in TWiki 4.0.2
• TWiki:Main.JasonHill for providing the patch files
• TWiki:Main.PeterThoeny for prviding the hotfix and for creating the advisory

Workaround for all TWiki Versions

TWiki does not identify itself as a browser when including a URL. This fact can be used to deny TWiki to access TWiki pages by URL, thus preventing the infinite recursion.

In Apache's http.conf set an anonymous_spider environment variable if the browser identification is empty. In the Directory setting of TWiki's bin directiry, deny anonymous_spider from accessing content. Example:

BrowserMatchNoCase ^$ anonymous_spider

<Directory "/var/www/twiki/bin">
    AllowOverride All
    Options ExecCGI
    Order Allow,Deny
    Allow from all
    Deny from env=anonymous_spider
</Directory>

Note: In case there is a Files sections with "allow from all" in the Directory section, it needs to be removed because it would overrule the Deny setting. Example Files section to remove:

   <Files "*">
       allow from all
   </Files>

• htaccess_require_ua.txt: Part of file you can copy into the Apache configuration file

Hotfix

This hotfix disables includes by URL. This is recommended for public TWiki sites even though it reduces the functionality of TWiki.

Hotfix for TWiki 4.0.0 and TWiki 4.0.1

In file twiki/lib/TWiki.pm, find sub _includeUrl. Add a return at the very beginning as indicated in red below:

# Fetch content from a URL for inclusion by an INCLUDE
sub _includeUrl {
    my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_;

    # Fix for Codev.SecurityAdvisoryDosAttackWithInclude
    return "%RED% Include of URL is disabled %ENDCOLOR%";

    my $text = '';
    my $host = '';
    my $port = 80;
    my $path = '';
    my $user = '';
    my $pass = '';

• CVE-2006-1387_TWiki_pm.diff: Patch for twiki/lib/TWiki.pm, TWiki 4.0.1 (see HowToApplyPatch)

Hotfix for earlier TWiki Releases

Apply above mentioned fix to sub handleIncludeUrl located in file twiki/lib/TWiki.pm

Action Plan with Timeline

Note: A silent alert was not done because the vulnerability was already made public in TWikiIRC on 2006-03-22

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1387
• http://secunia.com/advisories/19410/
• http://www.frsirt.com/english/advisories/2006/1116
• http://www.heise.de/security/news/meldung/71386

-- Contributors: KennethLavrsen, PeterThoeny, CrawfordCurrie, JasonHill - 24 Mar 2006

Discussions

The problem is to create a include loop in the TWiki and this is dicult to prevent by the topic name, ok?

So, why we don't stop the include from "my.domain/twiki-path/view/..."?

I think it's easy by bloking this url patern: /.*%SCRIPTURLPATH{view}%.*/

In Perl we can change the ER delimiter... so, the "!" can do it.

What you think about?

-- AurelioAHeckert - 31 Jul 2006