Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)
| Please join the
| To get immediate alerts of high priority security issues, please join the low-volume
twiki-announce list - details at TWikiAnnounceMailingList
This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized user may execute arbitrary commands in case the TWiki configure script is not access restricted.
Vulnerable Software Version
Supply a specially crafted HTTP POST request on the TWiki configure script.
An intruder is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. Properly configured TWiki sites with authenticated configure script are not affected.
The TWiki SecurityTeam
triaged this issue as documented in TWikiSecurityAlertProcess
and assigned the following severity level:
- Severity 1 issue: The web server can be compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-3819
to this vulnerability.
All TWiki 4.0.x releases have an unsafe eval in
which can be exploited to evaluate arbitrary Perl code and run arbitrary commands as the httpd user.
The exploit requires creating a special form to submits a crafted TYPEOF parameter to the configure script. Example:
<form method="post" action="/twiki/bin/configure" />
<input type="hidden" name="action" value="update" />
name="TYPEOF:);system('/bin/touch /tmp/whoops');my @a=("
<input type="submit" name="submit" value="Submit" />
This results in the following code being evaluated:
$def = defined( $TWiki::cfg);system('/usr/bin/touch /tmp/whoops');my @a=( );
As expected, the file
appears on the server. The last bit simply avoids a syntax error.
- Restrict access to the TWiki configure script.
- Apply the hotfix indicated below.
- NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix
This section describes how to protect a TWiki installation on two levels.
- Level 1: Restrict access to the configure script
- Level 2: Hotfix download for TWiki 4.0.4
Level 1: Restrict access to the configure script
The configure script should be protected from general access. It is a tool designed for administrators only and should be restricted to invocation by them only. This is typically done by using the basic Apache authentication. The configure script cannot save any settings once the password has been saved for the first time, but the script could still be vulnerable to specially crafted field values. In addition, the script reveals many details about the webserver that should not be made public.
In order to protect TWiki's configure script you can choose between two methods:
- Limit access to specific local IP addresses.
- Limit access to a few administrator users.
The access restriction can be done using Apache http.conf files or .htaccess files.
Protection of configure using Apache config files
The example below shows the part of an example Apache config file that configures the TWiki
Allow from all
Deny from env=anonymous_spider
Options ExecCGI FollowSymLinks
# Password file for TWiki users
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith).'
# File to return on access control error (e.g. wrong password)
# By convention this is the TWikiRegistration page, that allows users
# to register with the TWiki. Apache requires this to be a *local* path.
ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration
# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# The configure script is designed for administrators only.
# The script itself and the information it reveals can be abused by
# attackers if not properly protected against public access.
# Replace JohnDoe with the login name of the administrator
Deny from all
Allow from 127.0.0.1, 192.168.1.10
Require user JohnDoe
# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated. (un-comment to activate)
# require valid-user
The parts that protect the configure script are:
- The AuthUserFile, AuthName and AuthType defined the type of authentication and the password file location. This is required to limit the access to specific users.
- In the FilesMatch section the
Require user JohnDoe defined who has access to the configure script.
- In the FilesMatch section the
Allow from 127.0.0.1, 192.168.1.10 limits access to these two IP addresses. Note that the first is localhost.
- In the FilesMatch section the
Satisfy Any means that either the login name or the IP address must be valid. If you only setup one of the protections you can remove this. If you want IP address match and login to be required change this to
Above Apache config example is taken from file
, located in the root of your TWiki installation after upgrading it to TWiki-4.0.4 Hotfix 2. The accumulated Hotfix 2 for TWiki-4.0.4 can be downloaded from TWiki:Codev.HotFix04x00x04x02
If you configure Apache via .htaccess files
If you configure your Apache via .htaccess files the protection method is identical to the method with config files, with these exceptions:
.htaccess file is put in the
- The same
<FilesMatch "^configure.*"> section is placed in the
<Directory> </Directory> section is not needed.
file is located in the
of your TWiki installation after upgrading it to TWiki-4.0.4 Hotfix 2. The accumulated Hotfix 2 for TWiki-4.0.4 can be downloaded from TWiki:Codev.HotFix04x00x04x02
Apache Config Generator
You can quickly create a complete Apache config file, tailored to your installation, at TWiki:TWiki.ApacheConfigGenerator
. It protects also the
script, based on your preference.
Level 2: Hotfix download for TWiki 4.0.4
An accumulated Hotfix 2 for TWiki-4.0.4 is available for download. It contains an improved version of the
script, fixing the known vulnerability. It is available at TWiki:Codev.HotFix04x00x04x02
Authors and Credits
Action Plan with Timeline
-- Contributors: KennethLavrsen
- 26 Jul 2006
Secunia picked the advisory already up from TWiki.org, one day before the planned public advisory. I therefore sent the advisory (no point in waiting any longer.)
- 28 Jul 2006
There is an exploit in the wild! An automated script has used this vulnerability to compromise my website. This particular exploit installed an FTP server and performed a DOS attack using telnet. Be aware!
- 03 Aug 2006
Thanks Kevin for the reprot. An unfortunate reality that crackers are monitoring the security advisories looking for new ways to do their dirty work. It shows how important it is to be on the TWikiAnnounceMailingList
and to fix vulnerabilities quickly. (And for the TWiki dev team to produce code without security flaws.)
- 04 Aug 2006