Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
Please join the twiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized user may upload and execute arbitrary scripts such as PHP and server side include scripts.
Vulnerable Software Version
Attack Vectors
The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.
Properly configured TWiki sites that do not allow script execution in the pub directory are not affected.
Impact
Any version of TWiki since 01-Dec-2000 (and any other web based application that allows uploading of files which can be access directly from the webserver afterwards) is subject to attacks if the webserver has not been setup to not allow execution of scripts and programs.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 1 issue: The web server can be compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2006-3336 to this vulnerability.
Details
How to reproduce - PHP example
- Create a small file phpinfo.php.1 which only contains this one line script:
<? phpinfo(); ?>
- Upload this file to a TWiki topic.
- Add this text to the TWiki topic:
%ATTACHURL%/phpinfo.php.1
- Click on the link to phpinfo.php.1
- If your pub directory is not secured against running PHP scrips you will see a webpage with all sorts of details about your Apache and PHP. If your pub directory is secure you will only see <? phpinfo(); ?>
How to reproduce - Server Side Include example
- Create a small file serverside.shtml which only contains this one line script:
<!--#exec cmd="ls" -->
- Upload this file to a TWiki topic.
- Add this text to the TWiki topic:
%ATTACHURL%/serverside.shtml
- Click on the link to serverside.shtml
- If your pub directory is not secured against running SSI scrips you will see a directory listing of the files in the directory. If it is safe you will only see a blank page.
Why this succeeds
Most Linux distributions are shipped with PHP enabled. PHP is loaded as a shared object. Either in httpd.conf or a file included from httpd.conf there are at least two lines looking like this:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php
This causes any file with .php in the name to be regarded as a PHP program. Most people think the
.php
is only working when it is a suffix to a filename but it turns out that any file with a filename that contains the string
.php
is regarded a PHP program.
Same thing with server side includes and
CGI script files.
The safest thing is to completely disable the execution of any kind of script language in the pub directory tree of your TWiki. TWiki provides the upload filter which renames files with certain strings in the filename by appending .txt. This is a 2nd level security measure and should
not be the only security measure.
The hotfix attached to this security alert contains updated sample files for both Apache config file and
.htaccess
file which disables execution of PHP scripts, SSI scripts and
CGI scripts in the pub directory.
The hotfix attached also changes the TWiki configuration so that TWiki appends
.txt
to the filename when you upload files that contain a string used by Apache extensions such as PHP and Python. However this assumes that
.txt
is setup in Apache to be plain text files.
Countermeasures
- Apply the hotfix indicated below. The hotfix is only effective when both the uploadFilter and the Apache configs are secured. And the fix secures against execution of PHP, CGI and SSI type scripts. If you have installed other types of Apache modules that can execute files then you must ensure this is disabled in the entire
pub
directory tree.
- Upgrade to the latest patched production release TWikiRelease04x00x04 (TWiki-4.0.4.zip)
- Restrict access to the web pages served by TWiki.
- Check your server for intrusion by checking already uploaded files that have names that could be executable files. Look for a user called ShubaShuba already known to have attacked TWiki installations.
Hotfixes
This next sections describes:
- How to prevent script execution in the pub directory using httpd.
- How to prevent script execution in the pub directory using lighttpd.
- If you do not have access to the Apache config file, an alternative approach is described using
.htaccess
file.
- A section describing how to prevent server side includes in the pub directory
- Description of the improved upload filter
- Hotfix downloads for TWiki 4 (containing all of above fixes)
- Hotfix description for earlier versions of TWiki
Preventing script execution in the pub directory using httpd config
In order to prevent execution of any kind of scripts in the pub directory, your Apache config should contain these directives:
<Directory "/home/httpd/twiki/pub">
Options None
AllowOverride None
Allow from all
# If you have PHP4 or PHP5 installed make sure the directive
# below is enabled. If you do not have PHP installed you
# will need to comment out the directory below to avoid
# errors:
php_admin_flag engine off
# If you have PHP3 installed make sure the directive below is
# enabled:
#php3_engine off
# This line will redefine the mime type for the most common
# types of scripts. It will also deliver HTML files as if
# they are text files
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory>
Preventing script execution in the pub directory using lighttpd.conf
In order to prevent execution of any kind of scripts in the pub directory, your lighttpd config should contain these directives:
$HTTP["url"] =~ "/twiki/pub.*\.(html|htm|shtml|php|php3|phtml|phtm|pl|py|cgi)" {
mimetype.assign = ( "" => "text/plain" )
}
In addition to this the following directives should be added to the lighttpd.conf file to explicitly restrict script execution to the twiki/bin directory.
## CGI module
#
# Note: As the scripts in the twiki/bin directory have by default no extension .pl
# the directive cgi.assign = ( "" => "" ) causes the shebang line in the
# script to be used.
#
$HTTP["url"] =~ "^/twiki/bin/" {
dir-listing.activate = "disable"
cgi.assign = ( "" => "" )
}
Preventing script execution in the pub directory using .htaccess file
When you do not have access to the Apache config files (typically with shared hosting and no root access) you will control access to directories using
.htaccess
files. In the root of the pub directory you must put a
.htaccess
file with minimum this protection:
# Sample '.htaccess' file for 'pub' subdirectory
# Allow all access
Allow from all
# Deny people from looking at the index and running SSI and CGI
Options None
# We need to protect the entire pub directory tree against any
# kind of script execution. TWiki has a renaming protection
# scheme that alters certain file names to prevent script
# execution but it may not be 100% safe only to rely on this.
# The safest protection is to disabled all scripting.
# If you have PHP4 or PHP5 installed make sure the directive
# below is enabled. If you do not have PHP installed you will
# need to comment out the directory below to avoid errors:
php_flag engine off
# If you have PHP3 installed make sure the directive below is
# enabled:
#php3_engine off
# This line will redefine the mime type for the most common
# types of scripts. It will also deliver HTML files as if they
# are text files:
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
Preventing Server Side Includes and CGI scripts in the pub directory
Many Linux distributions are shipped with a httpd.conf that enables server side includes of files with suffix
.shtml
or
.shtml.foo
where foo can be any string.
In httpd.conf you often find settings that enable server side includes generally.
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
And similar you may have enabled execution of
CGI scripts for
files with suffix
.cgi
and/or
.pl
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
And unfortunately the example of a TWiki httpd config file that has been in the TWiki releases for years has shown the pub directory setup with
Options +Includes
and it should have said
Options None
so that both server side includes and
CGI would be disabled in the entire pub directory.
It is important that the httpd config or .htaccess files in any TWiki installations are checked and if needed corrected so that server side includes are disabled. In the examples in the previous section the Options directive are shown correctly as they should be.
Renaming dangerous filenames when uploading
The attached hotfix alters the regular expression used for deciding when to append the suffix .txt to the filename of an uploaded file.
The new regex for
{UploadFilter}
in TWiki-4.0.x's configure is:
(?-xism:^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))$)
For earlier versions of TWiki
$uploadFilter
in TWiki.cfg should be set to:
$uploadFilter = "^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"
Hotfix for TWiki 4.0.0, 4.0.1, 4.0.2 and TWiki 4.0.3
Attached hotfix updates the
lib/TWiki.cfg
file so that
.txt
gets appended when you upload the most common scripts.
It also contains the updated template files for apache config and .htaccess. You will however need to update your actual Apache config file or .htaccess file on your TWiki installation. When you update the Apache config files you must remember to restart the Apache server (
sudo ./apachectl grace
).
Hotfix for TWiki 04-Sep-2004 and earlier
In order to protect earlier version of TWiki do the following:
- In
lib/TWiki.cfg
find the setting $uploadFilter
and change it to:
$uploadFilter = "^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"
- Download the CVE-2006-3336-hotfix-twiki403.zip and use the
twiki_httpd_conf.txt
and pub-htaccess.txt
files as a template to update your current Apache configuration.
Authors and Credits
Action Plan with Timeline
External Links
--
Contributors: PeterThoeny,
KennethLavrsen - 05 Jul 2006
Discussions