security1Add my vote for this tag create new tag
, view all tags

Security Alert: TWiki INCLUDE function allows DoS Attack on Itself (CVE-2006-1387)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows anyone with edit rights to launch a DoS (denial of service) attack on the TWiki server.

Vulnerable Software Version

Attack Vectors

Editing a wiki page and adding an INCLUDE directive. Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).


An attacker is able to bring down a server within a few minutes with a DoS attack. All memory is consumed, typically requiring a reboot of the server machine.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-1387 to this vulnerability.


Anyone with editing rights can add an INCLUDE by URL to a wiki page that starts an infinite recursion. This can happen if the wiki page includes itself by URL, or if the wiki page includes another page (on the same site or another site) that includes the originating wiki page by URL.

For example, a user can create a BombSite topic in the Sandbox web and add this to the content:


Not affected is an include by wiki page name instead of URL. TWiki already protects against recursive includes if the included topics are referenced by topic name, e.g. the following self-include is guarded against:



  • Prevent recursive include:
    • All TWiki versions: Apply workaround described below
  • Disable include by URL: (recommended for public TWiki sites)
    • Apply hotfix described below
    • Upgrade to TWiki 4.0.2 (to be released in a few days) - the configure script has a new {INCLUDE}{AllowURLs} flag that is turned off by default
  • Filter access to the web server
  • Use the web server software to restrict access to the web pages served by TWiki

Authors and Credits

Workaround for all TWiki Versions

TWiki does not identify itself as a browser when including a URL. This fact can be used to deny TWiki to access TWiki pages by URL, thus preventing the infinite recursion.

In Apache's http.conf set an anonymous_spider environment variable if the browser identification is empty. In the Directory setting of TWiki's bin directiry, deny anonymous_spider from accessing content. Example:

BrowserMatchNoCase ^$ anonymous_spider

<Directory "/var/www/twiki/bin">
    AllowOverride All
    Options ExecCGI
    Order Allow,Deny
    Allow from all
    Deny from env=anonymous_spider

Note: In case there is a Files sections with "allow from all" in the Directory section, it needs to be removed because it would overrule the Deny setting. Example Files section to remove:

   <Files "*">
       allow from all


This hotfix disables includes by URL. This is recommended for public TWiki sites even though it reduces the functionality of TWiki.

Hotfix for TWiki 4.0.0 and TWiki 4.0.1

In file twiki/lib/TWiki.pm, find sub _includeUrl. Add a return at the very beginning as indicated in red below:

# Fetch content from a URL for inclusion by an INCLUDE
sub _includeUrl {
    my( $this, $theUrl, $thePattern, $theWeb, $theTopic ) = @_;

    # Fix for Codev.SecurityAdvisoryDosAttackWithInclude
    return "%RED% Include of URL is disabled %ENDCOLOR%";

    my $text = '';
    my $host = '';
    my $port = 80;
    my $path = '';
    my $user = '';
    my $pass = '';

Hotfix for earlier TWiki Releases

Apply above mentioned fix to sub handleIncludeUrl located in file twiki/lib/TWiki.pm

Action Plan with Timeline

# Action Date/ Deadline Status Who
1. Developer discloses issue to TWikiSecurityMailingList 2006-03-22 Done KennethLavrsen
2. Security team verifies issue 2006-03-23 Done CrawfordCurrie, PeterThoeny
3. Developer creates a fix for TWiki 4.0 2006-03-23 Done CrawfordCurrie
4. Developer proposes workaround 2006-03-23 Done KennethLavrsen
5. Security team verifies workaround 2006-03-24 Done PeterThoeny
6. Developer creates a hotfix for TWiki 4.0 2006-03-24 Done PeterThoeny
7. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-03-24 Done PeterThoeny
8. Publish advisory in Codev web and update all related topics 2006-03-25 Done PeterThoeny
9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-03-25 Done PeterThoeny

Note: A silent alert was not done because the vulnerability was already made public in TWikiIRC on 2006-03-22

External Links

-- Contributors: KennethLavrsen, PeterThoeny, CrawfordCurrie, JasonHill - 24 Mar 2006


The problem is to create a include loop in the TWiki and this is dicult to prevent by the topic name, ok?

So, why we don't stop the include from "my.domain/twiki-path/view/..."?

I think it's easy by bloking this url patern: /.*%SCRIPTURLPATH{view}%.*/

In Perl we can change the ER delimiter... so, the "!" can do it.

What you think about?

-- AurelioAHeckert - 31 Jul 2006

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatdiff CVE-2006-1387_TWiki_pm.diff r1 manage 0.5 K 2006-03-25 - 07:37 PeterThoeny Patch for twiki/lib/TWiki.pm, TWiki 4.0.1
Texttxt htaccess_require_ua.txt r1 manage 0.1 K 2006-03-25 - 07:37 PeterThoeny Part of .htaccess file
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r12 - 2006-07-31 - AurelioAHeckert
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.