Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071)
Please join the twiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized users may view access restricted content with a failed login. This applies only to TWiki installations with sessions enabled using Apache 1.3, not Apache 2.x.
Vulnerable Software Version
Attack Vectors
An unauthorized user can login by cancelling out of a failed login.
Impact
An unauthorized user is able to view content in access restricted topics. Editing topics and attaching files is not impacted.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 3 issue: TWiki content or browser is compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2006-6071 to this vulnerability.
Details
Your site may be vulnerable if:
- If you have
ErrorDocument 401
set to point to the TWikiRegistration topic (or any other TWiki topic) and
- You are using ApacheLogin with TWiki-4.0 and have sessions enabled, or you are using an earlier TWiki version with SessionPlugin, and
- You are running Apache 1.3
The exploit can be used to view pages protected by TWiki permissions. It does not allow you to to gain write access. You can verify if your site is vulnerable as follows:
- Click the 'Login' link in the left bar
- Enter the login name of a valid user, but an incorrect password.
- Click "Ok"
- If apache re-prompts, enter the same username and password again
- Click "Cancel"
If your site is vulnerable you will be redirected to the TWikiRegistration topic with the valid user apparently logged in (the name appears in the left bar).
Countermeasures
- Restrict access to the TWiki installation.
- Apply the hotfix indicated below.
- NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix
Hotfix
Delete the
ErrorDocument
line in the Apache configuration (
httpd.conf
or
.htaccess
),
or (preferred) change it to point to a static
HTML page. This page can safely contain a link to the TWikiRegistration page. For example,
<html>
<title>Failed login</title>
<head>
</head>
<body>
Your login attempt failed.
<p />
Do you want to
<a href="/cgi-bin/view/TWiki/TWikiRegistration">register in TWiki</a>?
</body>
</html>
(modify the
href
as appropriate for your site.)
Authors and Credits
Action Plan with Timeline
External Links
--
Contributors: CrawfordCurrie,
PeterThoeny - 30 Nov 2006
Discussions