Tags:
create new tag
view all tags

Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized users may view access restricted content with a failed login. This applies only to TWiki installations with sessions enabled using Apache 1.3, not Apache 2.x.

Vulnerable Software Version

Attack Vectors

An unauthorized user can login by cancelling out of a failed login.

Impact

An unauthorized user is able to view content in access restricted topics. Editing topics and attaching files is not impacted.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 3 issue: TWiki content or browser is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-6071 to this vulnerability.

Details

Your site may be vulnerable if:

  1. If you have ErrorDocument 401 set to point to the TWikiRegistration topic (or any other TWiki topic) and
  2. You are using ApacheLogin with TWiki-4.0 and have sessions enabled, or you are using an earlier TWiki version with SessionPlugin, and
  3. You are running Apache 1.3

The exploit can be used to view pages protected by TWiki permissions. It does not allow you to to gain write access. You can verify if your site is vulnerable as follows:

  1. Click the 'Login' link in the left bar
  2. Enter the login name of a valid user, but an incorrect password.
  3. Click "Ok"
  4. If apache re-prompts, enter the same username and password again
  5. Click "Cancel"

If your site is vulnerable you will be redirected to the TWikiRegistration topic with the valid user apparently logged in (the name appears in the left bar).

Countermeasures

  • Restrict access to the TWiki installation.
  • Apply the hotfix indicated below.

  • NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix

Hotfix

Delete the ErrorDocument line in the Apache configuration (httpd.conf or .htaccess), or (preferred) change it to point to a static HTML page. This page can safely contain a link to the TWikiRegistration page. For example,

<html>
<title>Failed login</title>
<head>
</head>
<body>
Your login attempt failed.
<p />
Do you want to
<a href="/cgi-bin/view/TWiki/TWikiRegistration">register in TWiki</a>?
</body>
</html>

(modify the href as appropriate for your site.)

Authors and Credits

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2006-11-17 Done TWiki:Main.GeorgeClark
2. Developer verifies issue 2006-11-21 Done CrawfordCurrie
3. Developer creates hotfix 2006-11-21 Done CrawfordCurrie
4. Security team creates advisory 2006-11-21 Done PeterThoeny
5. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-11-29 Done PeterThoeny
6. Publish advisory in Codev web and update all related topics 2006-11-30 Done PeterThoeny
7. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-11-30   PeterThoeny

External Links

-- Contributors: CrawfordCurrie, PeterThoeny - 30 Nov 2006

Discussions

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2006-12-04 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.