Security Alert CVE-2010-3841: XSS Vulnerability with rev parameter & login script
 Get Alerted: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Vulnerable Software Version
- TWikiRelease05x00x00 -- TWiki-5.0.0.zip
- TWikiRelease04x03x02 -- TWiki-4.3.2.zip
- TWikiRelease04x03x01 -- TWiki-4.3.1.zip
- TWikiRelease04x03x00 -- TWiki-4.3.0.zip
- TWikiRelease04x02x04 -- TWiki-4.2.4.zip
- TWikiRelease04x02x03 -- TWiki-4.2.3.zip
- TWikiRelease04x02x02 -- TWiki-4.2.2.zip
- TWikiRelease04x02x01 -- TWiki-4.2.1.zip
- TWikiRelease04x02x00 -- TWiki-4.2.0.zip
- TWikiRelease04x01x02 -- TWiki-4.1.2.zip
- TWikiRelease04x01x01 -- TWiki-4.1.1.zip
- TWikiRelease04x01x00 -- TWiki-4.1.0.zip
- TWikiRelease04x00x05 -- TWiki-4.0.5.zip
- TWikiRelease04x00x04 -- TWiki-4.0.4.zip
- TWikiRelease04x00x03 -- TWiki-4.0.3.zip
- TWikiRelease04x00x02 -- TWiki-4.0.2.zip
- TWikiRelease04x00x01 -- TWiki-4.0.1.zip
- TWikiRelease04x00x00 -- TWiki-4.0.0.zip
- and possibly older versions
Attack Vectors
Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).Impact
Specially crafted parameters open up XSS (Cross-site request forgery) attacks.Severity Level
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:- Severity 3 issue: TWiki content or browser is compromised.
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-3841
to this vulnerability.
Details
A malicious person can use specially crafted URL parameters to TWiki view and login scripts that execute arbitrary Javascript code in the browser. Examples: 1. Specially crafted rev parameter to the view script of TWiki:GET /twiki/bin/view?rev=%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E2. Specially crafted parameter to the login script of TWiki:
GET /twiki/bin/login?origurl=&ANYTHING%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3EIn both examples, TWiki decodes the URL parameter into the following Javascript code, popping up a Javascript alert box showing "Hello":
'><script>alert(Hello)</script>
Countermeasures
- Apply hotfix (see patch below).
- Upgrade to the latest patched production TWiki-5.0.1, TWikiRelease05x00x01.
- Use the web server software to restrict access to the web pages served by TWiki.
Hotfix for TWiki Production Releases
It is recommended to upgrade to the latest TWiki version. If an immediate upgrade is not feasible you can apply this patch for Production Release TWiki-5.0.0, TWiki-4.3.2 and TWiki-4.1.2. There is no hotfix for earlier TWiki releases; take the hotfix as a guideline (line numbers may vary). The patch fixes TWiki variables REVTITLE, REVARG and QUERYPARAMS.Patch for TWiki-5.0.0
Affected file: twiki/lib/TWiki.pm Patch:
--- TWiki.pm.save0 2010-10-09 00:06:18.000000000 -0700
+++ TWiki.pm 2010-10-09 00:16:15.000000000 -0700
@@ -3820,7 +3820,7 @@
my $request = $this->{request};
my $out = '';
if( $request ) {
- my $rev = $request->param('rev');
+ my $rev = $this->{store}->cleanUpRevID( $request->param( 'rev' ) );
$out = '(r'.$rev.')' if ($rev);
}
return $out;
@@ -3831,7 +3831,7 @@
my $request = $this->{request};
my $out = '';
if( $request ) {
- my $rev = $request->param('rev');
+ my $rev = $this->{store}->cleanUpRevID( $request->param( 'rev' ) );
$out = '&rev='.$rev if ($rev);
}
return $out;
@@ -4022,6 +4022,8 @@
my @list;
foreach my $name ( $this->{request}->param() ) {
+ # clean parameter names of illegal characters
+ $name =~ s/['"<>].*//;
# Issues multi-valued parameters as separate hiddens
my $value = $this->{request}->param( $name );
if ($encoding) {
Patch for TWiki-4.3.2
Affected file: twiki/lib/TWiki.pm Patch:
--- TWiki.pm.save0 2009-12-23 05:12:36.000000000 -0800
+++ TWiki.pm 2010-10-14 12:47:02.000000000 -0700
@@ -3447,7 +3447,7 @@
my $cgiQuery = $this->{cgiQuery};
my $out = '';
if( $cgiQuery ) {
- my $cgiRev = $cgiQuery->param('rev');
+ my $cgiRev = $this->{store}->cleanUpRevID( $cgiQuery->param( 'rev' ) );
$out = '(r'.$cgiRev.')' if ($cgiRev);
}
return $out;
@@ -3457,7 +3457,7 @@
my $cgiQuery = $this->{cgiQuery};
my $out = '';
if( $cgiQuery ) {
- my $cgiRev = $cgiQuery->param('rev');
+ my $cgiRev = $this->{store}->cleanUpRevID( $cgiQuery->param( 'rev' ) );
$out = '&rev='.$cgiRev if ($cgiRev);
}
return $out;
@@ -3619,6 +3619,8 @@
my @list;
foreach my $name ( $this->{cgiQuery}->param() ) {
+ # clean parameter names of illegal characters
+ $name =~ s/['"<>].*//;
# Issues multi-valued parameters as separate hiddens
my $value = $this->{cgiQuery}->param( $name );
if ($encoding) {
Patch for TWiki-4.1.2
Affected file: twiki/lib/TWiki.pm Patch:
--- TWiki.pm.save1 2007-03-03 06:45:57.000000000 -0800
+++ TWiki.pm 2010-10-14 16:19:32.000000000 -0700
@@ -3185,6 +3185,8 @@
my @list;
foreach my $name ( $this->{cgiQuery}->param() ) {
+ # clean parameter names of illegal characters
+ $name =~ s/['"<>].*//;
# Issues multi-valued parameters as separate hiddens
my $value = $this->{cgiQuery}->param( $name );
my $entry = $format;
Authors and Credits
- Credit to Douhine Davy for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list.
- TWiki:Main.PeterThoeny for verifying the issue, creating a fix, and creating the patch and advisory.
Action Plan with Timeline
- 2010-09-24: User discloses issue to TWikiSecurityMailingList (Douhine Davy)
- 2010-09-24: Developer verifies issue (Peter Thoeny)
- 2010-09-26: Developers fix code (Peter Thoeny)
- 2010-10-09: Security team creates advisory with hotfix (Peter Thoeny)
- 2010-10-12: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
- 2010-10-14: Publish advisory in Codev web and update all related topics (Peter Thoeny)
- 2010-10-14: Issue a public security advisory to full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com, bugs@securitytracker.com (Peter Thoeny)
External Links
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3841 - CVE on MITRE.org
- http://www.vupen.com/english/Reference-CVE-2010-3841.php - VUPEN
- http://secunia.com/advisories/41796 - Secunia
- http://secunia.com/advisories/cve_reference/CVE-2010-3841/ - Secunia
- http://xforce.iss.net/xforce/xfdb/62557 - IBM Internet Security Systems
- http://www.securityfocus.com/bid/44103 - Security Focus
- http://forums.cnet.com/7726-6035_102-5008468.html - CNET
- http://osvdb.org/show/osvdb/68651 - OSVDB
- https://infosecisland.com/alertsview/8953-CVE-2010-3841-twiki.html - Infosec Island
- https://bugs.launchpad.net/bugs/cve/2010-3841 - Launchpad.net
- http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2010-3841&vector=%28AV:N/AC:M/Au:N/C:N/I:P/A:N%29 - NIST
Discussions
Topic revision: r11 - 2011-05-18 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.