Tags:
create new tag
view all tags
What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
MOVED TO... Learn more.

Security Alert CVE-2013-1751: TWiki MAKETEXT Variable Has Another Shell Command Execution Issue

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The %MAKETEXT{}% TWiki variable allows arbitrary shell command execution using tilde (~) characters. Only TWiki server with localization enabled are affected. This issue is a followup to SecurityAlert-CVE-2012-6329 of last December.

Vulnerable Software Version

Attack Vectors

Editing wiki pages and HTTP POST requests towards a TWiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary.

Impact

An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2013-1751 to this vulnerability.

Details

Shell Command execution issue: The %MAKETEXT{}% TWiki variable is used to localize user interface content to a language of choice. Using a specially crafted MAKETEXT, a malicious user can execute shell commands using tilde (~) characters. User input is passed to the Perl "eval" command without first being sanitized.

The original fix for this issue reported in SecurityAlert-CVE-2012-6329 failed to eliminate one possible attack vector. This CVE applies an additional fix for the tilde character issue.

TWiki is NOT vulnerable if the {UserInerfaceInternationalization} configure setting is disabled, or if Locale::Maketext has been upgraded to version 1.23 as advised in SecurityAlert-CVE-2012-6329.

Countermeasures

  • One of:
    • Disable localization by setting configure flag {UserInterfaceInternationalisation} to 0.
    • Apply hotfix (see patch below).
    • Upgrade to the latest patched production release TWiki-5.1.4 (TWikiRelease05x01x04).

  • In addition:
    • Install CPAN:Locale::Maketext version 1.23 or newer.
    • Use the {SafeEnvPath} configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin".

Hotfix for TWiki Production Release 5.1.x

Affected file: twiki/lib/TWiki.pm

Patch to sanitize MAKETEXT parameters:

--- TWiki.pm   (revision 25065)
+++ TWiki.pm   (working copy)
@@ -4328,8 +4328,8 @@
     $str =~ s/\]/~]/g;
 
     # restore already escaped stuff:
-    $str =~ s/~~\[/~[/g;
-    $str =~ s/~~\]/~]/g;
+    $str =~ s/~~+\[/~[/g;
+    $str =~ s/~~+\]/~]/g;
 
     # unescape parameters and calculate highest parameter number:
     my $max = 0;

This patch is handled at TWikibug:Item7145.

Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

Verify Hotfix

To verify the patch:

  • Add this to a topic: %MAKETEXT{"~~[quant,4, singular, plural, ~~]"}%
  • Expected output with internationalization enabled: [quant,4,singular,plural]
  • Expected output with internationalization disabled: ~[quant,4,singular,plural~]
  • Output on a vulnerable site: ~4 plural

Authors and Credits

Action Plan with Timeline

External Links

-- PeterThoeny - 2013-02-18

Discussions

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2013-02-20 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.