Tags:
create new tag
, view all tags

Security Alert: Cross-site scripting vulnerability with TWiki URLPARAM variable

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The %URLPARAM{}% TWiki variable may expose a cross-site scripting (XSS) vulnerability. (See also unrelated SecurityAlert-CVE-2008-5305 - TWiki SEARCH variable allows arbitrary shell command execution.)

Vulnerable Software Version

Attack Vectors

Editing wiki pages and HTTP GET requests towards the wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).

Impact

An unauthenticated remote attacker could exploit an XSS attack on a TWiki site.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 3 issue: TWiki content or browser is compromised

Note: Severity 3 issues are usually handled as bugs without an advisory, but this time an advisory is issued to raise the awareness on possible XSS attacks.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-5304 to this vulnerability.

Details

The %URLPARAM{}% TWiki variable is a powerful command to create dynamic wiki content and wiki applications. If a URLPARAM is not properly encoded it may be open to XSS attacks. http://en.wikipedia.org/wiki/Cross-site_scripting has details on XSS.

Specifically, the XSS vulnerability exists if the URLPARAM is used inside an HTML form field value without adding proper encoding. Example:

<input type="text" name="city" value="%URLPARAM{ "city" }%" />

The attacker could construct a 'city' URL parameter with a double quote to close the input value="" attribute, followed by additional attributes.

Example 1:

  • Go to http://example.com/twiki/view/TWiki/WebSearch?search=%27a%20onmouseover=alert(document.cookie)%20%27
  • Move your mouse over the 'Advanced search' link about half way down the page.
  • You should see a javascript popup that wasn't there before.

Example 2:

  • Go to http://example.com/twiki/view/TWiki/ResetPassword?username="<script language=Javascript>alert('3y3 0wn j00 TWIKI')</script>
  • You should see a javascript popup that wasn't there before.

To avoid XSS attacks, a URLPARAM inside a HTML form field value needs to be entity encoded. This will escape special characters, so that content will be displayed verbatim in the input field. Example of properly encoding a URLPARAM in an input field value:

<input type="text" name="city" value="%URLPARAM{ "city" encode="entity" }%" />

The TWiki distributions contains a number of pages that have non-encoded URLPARAMs in HTML input fields. Those pages need to be fixed to avoid XSS attacks.

One might think that URLPARAM should always be encoded. This is not a viable option since it would introduce an incompatible spec change that would break many dynamic reports and TWiki applications.

The responsibility relies with the users to monitor and/or lock down wiki content to counter XSS exploits. Study http://twiki.org/cgi-bin/view/TWiki/VarURLPARAM on proper use of URLPARAM.

Countermeasures

  • Apply hotfix (see patch below).
  • Upgrade to the latest patched production TWiki-4.2.4, TWikiRelease04x02x04.
  • Use the web server software to restrict access to the web pages served by TWiki.
  • Search your wiki content for %URLPARAM and encode them where needed.

Authors and Credits

Hotfix for TWiki Production Release 4.2.x

Affected files:

  • twiki/data/TWiki/ChangePassword.txt
  • twiki/data/TWiki/ChangePassword.txt,v
  • twiki/data/TWiki/FormattedSearch.txt
  • twiki/data/TWiki/FormattedSearch.txt,v
  • twiki/data/TWiki/ResetPassword.txt
  • twiki/data/TWiki/ResetPassword.txt,v
  • twiki/data/TWiki/VarURLPARAM.txt
  • twiki/data/TWiki/VarURLPARAM.txt,v
  • twiki/data/TWiki/WebAtomBase.txt
  • twiki/data/TWiki/WebAtomBase.txt,v
  • twiki/data/TWiki/WebCreateNewTopicTemplate.txt
  • twiki/data/TWiki/WebCreateNewTopicTemplate.txt,v
  • twiki/data/TWiki/WebRssBase.txt
  • twiki/data/TWiki/WebRssBase.txt,v
  • twiki/data/TWiki/WebSearchAdvanced.txt
  • twiki/data/TWiki/WebSearchAdvanced.txt,v
  • twiki/data/TWiki/WebSearch.txt
  • twiki/data/TWiki/WebSearch.txt,v

Hotfix: Unzip SecurityAlert-CVE-2008-5304-hotfix.zip into your TWiki directory, preserving the directory structure. All files should go into the twiki/data/TWiki directory.

Fixing older TWiki Releases

There is no hotfix for older releases. Upgrade to the latest TWiki version, or search your wiki content for %URLPARAM and encode them where needed.

Action Plan with Timeline

# Action Date/ Deadline Status Who
1. User discloses issue to TWikiSecurityMailingList 2008-11-18 Done Marc Schoenefeld
2. Developer verifies issue 2008-11-27 Done Peter Thoeny
3. Developer fixes code 2008-12-01 Done Peter Thoeny, Sopan Shewale
4. Security team creates advisory with hotfix 2008-12-03 Done Peter Thoeny
5. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2008-12-03 Done Peter Thoeny
6. Publish advisory in Codev web and update all related topics 2008-12-05 Done Peter Thoeny
7. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2008-12-05 Done Peter Thoeny

External Links

-- PeterThoeny - 03 Dec 2008

Discussions

While it's understandable that the 3-Dec announcemet had the .zip file stripped by mailman, this negated the benefit of the pre-announcement.

The announcement should have provided a link to the .zip file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SecurityAlert-CVE-2008-5304-hotfix.zip
Type: application/zip
Size: 50213 bytes
Desc: not available
-------------- next part --------------

-- TimotheLitt - 06 Dec 2008

Good point on stripped e-mail attachments. The SecurityTeam will keep this in mind for next time (if any). The team is quite responsive, you can send an e-mail to the TWikiSecurityMailingList if your question needs immediate attention.

-- PeterThoeny - 07 Dec 2008

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2008-12-07 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.