Security Alert: Arbitrary Code Execution in Configure Script (CVE-2008-3195)
Please join the twiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of a potential security issue with your TWiki installation: Remote attackers are able to execute arbitrary commands on the TWiki server in case the configure script is not access restricted -- please read the details below to find out if you are vulnerable.
Vulnerable Software Version
Attack Vectors
To exploit the bug, you just need set the "image" variable to the path of file you wish to view. The file will be revealed if the webserver has permission to view it.
For example, to show the "/etc/passwd" file content, go to:
http://www.examplo.org/twiki/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain
Impact
Under the assumption that an intruder has access to the configure script, it is possible to view and execute files with the privileges of the web server process, such as user
nobody
.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 1 issue: The web server can be compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2008-3195 to this vulnerability.
Details
Your site may be vulnerable if:
- You run one of the vulnerable TWiki versions, and
- you have not secured your configure script as per the TWikiInstallationGuide
Countermeasures
- Restrict access to the configure script (recommended)
- Upgrade to TWikiRelease04x02x03 -- TWiki-4.2.3.zip (recommended)
- Apply a hotfix indicated below.
Hotfix for TWiki 4.x
The exploit is in the
configure
script and so can be resolved by replacing the file in you twiki/bin directory with the
configure script attached to the
TWikiRelease04x02x03 topic.
Hotfix for older TWiki versions
Countermeasures
- Secure your configure as per section 8 of TWikiInstallationGuide
- upgrade to TWikiRelease04x02x03
- apply the appropriate hotfix
- configure-4.0.6: The hotfix for TWiki 4.0.x configure script - copy over the existing script in your twiki/bin dir.
- configure-4.1.3: The hotfix for TWiki 4.1.x configure script - copy over the existing script in your twiki/bin dir.
- configure-4.2.3: The hotfix for TWiki 4.2.x configure script - copy over the existing script in your twiki/bin dir.
Authors and Credits
- Credit to Sven, Vicki, David, Michael for disclosing the issue to the twiki-security mailing list
- Colas, Crawford, Sven for creating the hotfix
- Sven for creating the uncoordinated advisory
Action Plan with Timeline
# |
Action |
Date |
Status |
Who |
1. |
User discloses vulnerability to twiki-security |
2008-08-05 (severity 3 bug), 2008-09-03 (severity 1) |
Done |
|
2. |
Developer verifies issue |
2008-08-05 to 2008-09-11 |
Done |
Colas, Crawford, Sven |
3. |
Developer fixes code and creates hotfix |
2008-09-12 |
Done |
Colas, Crawford, Sven |
4. |
Security team creates advisory |
2008-09-12 |
Done |
Sven |
5. |
Send alert to TWikiAnnounceMailingList and TWikiDevMailingList |
2008-09-20 |
Done |
Peter |
6. |
Publish advisory in Codev web and update all related topics |
2008-09-12 |
Done |
Sven |
7. |
Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) |
2008-09-20 |
Done |
Peter |
External Links
--
Contributors: SvenDowideit
Discussions
Is the 4.1.3 hotfix above correct? I got no diff from what was already installed in my 4.1.* system. The 4.2.3 hotfix definitely shows a diff from what I had installed on another system using 4.2.*.
--
WhitBlauvelt - 21 Sep 2008
Sorry, that one was the wrong file - I've uploaded the fixed one.
--
SvenDowideit - 21 Sep 2008