Tags:
create new tag
view all tags

Security Alert: Arbitrary Code Execution in Configure Script (CVE-2008-3195)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: Remote attackers are able to execute arbitrary commands on the TWiki server in case the configure script is not access restricted -- please read the details below to find out if you are vulnerable.

Vulnerable Software Version

Attack Vectors

To exploit the bug, you just need set the "image" variable to the path of file you wish to view. The file will be revealed if the webserver has permission to view it.

For example, to show the "/etc/passwd" file content, go to:
http://www.examplo.org/twiki/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain

Impact

Under the assumption that an intruder has access to the configure script, it is possible to view and execute files with the privileges of the web server process, such as user nobody.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-3195 to this vulnerability.

Details

Your site may be vulnerable if:

  1. You run one of the vulnerable TWiki versions, and
  2. you have not secured your configure script as per the TWikiInstallationGuide

Countermeasures

  • Restrict access to the configure script (recommended)
  • Upgrade to TWikiRelease04x02x03 -- TWiki-4.2.3.zip (recommended)
  • Apply a hotfix indicated below.

Hotfix for TWiki 4.x

The exploit is in the configure script and so can be resolved by replacing the file in you twiki/bin directory with the configure script attached to the TWikiRelease04x02x03 topic.

Hotfix for older TWiki versions

Countermeasures

  • Secure your configure as per section 8 of TWikiInstallationGuide
  • upgrade to TWikiRelease04x02x03
  • apply the appropriate hotfix
    • configure-4.0.6: The hotfix for TWiki 4.0.x configure script - copy over the existing script in your twiki/bin dir.
    • configure-4.1.3: The hotfix for TWiki 4.1.x configure script - copy over the existing script in your twiki/bin dir.
    • configure-4.2.3: The hotfix for TWiki 4.2.x configure script - copy over the existing script in your twiki/bin dir.

Authors and Credits

  • Credit to Sven, Vicki, David, Michael for disclosing the issue to the twiki-security mailing list
  • Colas, Crawford, Sven for creating the hotfix
  • Sven for creating the uncoordinated advisory

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2008-08-05 (severity 3 bug), 2008-09-03 (severity 1) Done  
2. Developer verifies issue 2008-08-05 to 2008-09-11 Done Colas, Crawford, Sven
3. Developer fixes code and creates hotfix 2008-09-12 Done Colas, Crawford, Sven
4. Security team creates advisory 2008-09-12 Done Sven
5. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2008-09-20 Done Peter
6. Publish advisory in Codev web and update all related topics 2008-09-12 Done Sven
7. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2008-09-20 Done Peter

External Links

-- Contributors: SvenDowideit

Discussions

Is the 4.1.3 hotfix above correct? I got no diff from what was already installed in my 4.1.* system. The 4.2.3 hotfix definitely shows a diff from what I had installed on another system using 4.2.*.

-- WhitBlauvelt - 21 Sep 2008

Sorry, that one was the wrong file - I've uploaded the fixed one.

-- SvenDowideit - 21 Sep 2008

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatext configure r3 r2 r1 manage 121.4 K 2008-09-12 - 06:01 UnknownUser The hotfix for TWiki 4.0.x configure script - copy over the existing script in your twiki/bin dir.
Unknown file format6 configure-4.0.6 r2 r1 manage 122.2 K 2008-09-21 - 22:27 UnknownUser  
Unknown file format3 configure-4.1.3 r2 r1 manage 20.8 K 2008-09-21 - 22:28 UnknownUser  
Unknown file format3 configure-4.2.3 r1 manage 23.5 K 2008-09-12 - 06:03 UnknownUser The hotfix for TWiki 4.2.x configure script - copy over the existing script in your twiki/bin dir.
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2008-09-21 - SvenDowideit
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.