Tags:
create new tag
, view all tags

Security Alert CVE-2010-3841: XSS Vulnerability with rev parameter & login script

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of two potential security issues with your TWiki installation: 1. The rev parameter to the view script may expose a cross-site scripting (XSS) vulnerability. 2. The login script may expose a cross-site scripting vulnerability.

Vulnerable Software Version

Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).

Impact

Specially crafted parameters open up XSS (Cross-site request forgery) attacks.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 3 issue: TWiki content or browser is compromised.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-3841 to this vulnerability.

Details

A malicious person can use specially crafted URL parameters to TWiki view and login scripts that execute arbitrary Javascript code in the browser. Examples:

1. Specially crafted rev parameter to the view script of TWiki:

GET /twiki/bin/view?rev=%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E

2. Specially crafted parameter to the login script of TWiki:

GET /twiki/bin/login?origurl=&ANYTHING%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E

In both examples, TWiki decodes the URL parameter into the following Javascript code, popping up a Javascript alert box showing "Hello":

'><script>alert(Hello)</script>

Countermeasures

  • Apply hotfix (see patch below).
  • Upgrade to the latest patched production TWiki-5.0.1, TWikiRelease05x00x01.
  • Use the web server software to restrict access to the web pages served by TWiki.

Hotfix for TWiki Production Releases

It is recommended to upgrade to the latest TWiki version. If an immediate upgrade is not feasible you can apply this patch for Production Release TWiki-5.0.0, TWiki-4.3.2 and TWiki-4.1.2. There is no hotfix for earlier TWiki releases; take the hotfix as a guideline (line numbers may vary). The patch fixes TWiki variables REVTITLE, REVARG and QUERYPARAMS.

Patch for TWiki-5.0.0

Affected file: twiki/lib/TWiki.pm

Patch:

--- TWiki.pm.save0   2010-10-09 00:06:18.000000000 -0700
+++ TWiki.pm   2010-10-09 00:16:15.000000000 -0700
@@ -3820,7 +3820,7 @@
     my $request = $this->{request};
     my $out = '';
     if( $request ) {
-        my $rev = $request->param('rev');
+        my $rev = $this->{store}->cleanUpRevID( $request->param( 'rev' ) );
         $out = '(r'.$rev.')' if ($rev);
     }
     return $out;
@@ -3831,7 +3831,7 @@
     my $request = $this->{request};
     my $out = '';
     if( $request ) {
-        my $rev = $request->param('rev');
+        my $rev = $this->{store}->cleanUpRevID( $request->param( 'rev' ) );
         $out = '&rev='.$rev if ($rev);
     }
     return $out;
@@ -4022,6 +4022,8 @@
 
     my @list;
     foreach my $name ( $this->{request}->param() ) {
+        # clean parameter names of illegal characters
+        $name =~ s/['"<>].*//;
         # Issues multi-valued parameters as separate hiddens
         my $value = $this->{request}->param( $name );
         if ($encoding) {

Patch for TWiki-4.3.2

Affected file: twiki/lib/TWiki.pm

Patch:

--- TWiki.pm.save0   2009-12-23 05:12:36.000000000 -0800
+++ TWiki.pm   2010-10-14 12:47:02.000000000 -0700
@@ -3447,7 +3447,7 @@
     my $cgiQuery = $this->{cgiQuery};
     my $out = '';
     if( $cgiQuery ) {
-        my $cgiRev = $cgiQuery->param('rev');
+        my $cgiRev = $this->{store}->cleanUpRevID( $cgiQuery->param( 'rev' ) );
         $out = '(r'.$cgiRev.')' if ($cgiRev);
     }
     return $out;
@@ -3457,7 +3457,7 @@
     my $cgiQuery = $this->{cgiQuery};
     my $out = '';
     if( $cgiQuery ) {
-        my $cgiRev = $cgiQuery->param('rev');
+        my $cgiRev = $this->{store}->cleanUpRevID( $cgiQuery->param( 'rev' ) );
         $out = '&rev='.$cgiRev if ($cgiRev);
     }
     return $out;
@@ -3619,6 +3619,8 @@
 
     my @list;
     foreach my $name ( $this->{cgiQuery}->param() ) {
+        # clean parameter names of illegal characters
+        $name =~ s/['"<>].*//;
         # Issues multi-valued parameters as separate hiddens
         my $value = $this->{cgiQuery}->param( $name );
         if ($encoding) {

Patch for TWiki-4.1.2

Affected file: twiki/lib/TWiki.pm

Patch:

--- TWiki.pm.save1   2007-03-03 06:45:57.000000000 -0800
+++ TWiki.pm   2010-10-14 16:19:32.000000000 -0700
@@ -3185,6 +3185,8 @@
 
     my @list;
     foreach my $name ( $this->{cgiQuery}->param() ) {
+        # clean parameter names of illegal characters
+        $name =~ s/['"<>].*//;
         # Issues multi-valued parameters as separate hiddens
         my $value = $this->{cgiQuery}->param( $name );
         my $entry = $format;

Authors and Credits

Action Plan with Timeline

  • 2010-09-24: User discloses issue to TWikiSecurityMailingList (Douhine Davy)
  • 2010-09-24: Developer verifies issue (Peter Thoeny)
  • 2010-09-26: Developers fix code (Peter Thoeny)
  • 2010-10-09: Security team creates advisory with hotfix (Peter Thoeny)
  • 2010-10-12: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
  • 2010-10-14: Publish advisory in Codev web and update all related topics (Peter Thoeny)
  • 2010-10-14: Issue a public security advisory to full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com, bugs@securitytracker.com (Peter Thoeny)

External Links

-- PeterThoeny - 2010-10-14

Discussions

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 2011-05-18 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.