What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
Learn more.
Learn more.
Security Alert CVE-2014-9367: XSS Vulnerability with Scope and Other URL Parameters of WebSearch
 Get Alerted: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Vulnerable Software Version
- TWiki-6.0.x (TWikiRelease06x00x00 to TWikiRelease06x00x01)
Attack Vectors
Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).Impact
Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.Severity Level
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:- Severity 3 issue: TWiki content or browser is compromised.
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-9367
to this vulnerability.
Details
A malicious person can use specially crafted URL parameters to TWiki's WebSearch topic that execute arbitrary JavaScript code in the browser. Examples: Specially crafted parameter to the view script of TWiki's WebSearch topic:
GET /do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')</script>
TWiki decodes the URL parameters and pops up a JavaScript alert box showing "CVE-2014-9367 vulnarable!"
Countermeasures
- Apply hotfix (see patch below).
- Use the web server software to restrict access to the web pages served by TWiki.
Hotfix for TWiki Production Release
No TWiki patch release will be done to address this issue. Instead, apply the patches below.Patch lib/TWiki.pm
Affected file:twiki/lib/TWiki.pm
The patch removes the single quote (') from the regular expression set in sub urlEncode of TWiki.pm:
--- lib/TWiki.pm (revision 28490)
+++ lib/TWiki.pm (working copy)
@@ -3178,7 +3178,7 @@
sub urlEncode {
my $text = shift;
- $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;
+ $text =~ s/([^0-9a-zA-Z-_.:~!*\/])/'%'.sprintf('%02x',ord($1))/ge;
return $text;
}
Patch TWiki system topics
Affected topics:- TWiki.SearchResultsPagination - source: http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/SearchResultsPagination?raw=on
- TWiki.WebSearch - source: http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/WebSearch?raw=on
- TWiki.WebSearchAdvanced - source: http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/WebSearchAdvanced?raw=on
- Learn how to apply patches
- This issue is tracked at TWikibug:Item7595
Verify Hotfix
To verify the patch add the following parameter to TWiki's WebSearch topic:
http://twiki.example.com/do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')
The site is vulnerable if consecutive dialog boxes are shown with text "CVE-2014-9367 vulnerable!"
Authors and Credits
- Credit to Robert Abela ( robert[at]netsparker.com) and Onur Yilmaz (onur[at]netsparker.com) for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list.
- TWiki:Main.PeterThoeny for verifying the issue, creating a fix, and creating the patch and advisory.
Action Plan with Timeline
- 2014-12-09 - Robert Abela of Netsparker discloses issue to TWikiSecurityMailingList
- 2014-12-09 - developer verifies issue - PeterThoeny
- 2014-12-09 - developer fixes code - PeterThoeny
- 2014-12-15 - security team creates advisory with hotfix - PeterThoeny
- 2014-12-16 - send alert to TWikiAnnounceMailingList and TWikiDevMailingList - PeterThoeny
- 2014-12-18 - publish advisory in Codev web and update all related topics - PeterThoeny
- 2014-12-18 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny
External Links
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9367 - CVE on MITRE.org
Peter Thoeny - 2014-12-18
Comments
Topic revision: r4 - 2014-12-19 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.