Tags:
installation1Add my vote for this tag security1Add my vote for this tag create new tag
, view all tags

Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized user may upload and execute arbitrary scripts such as PHP and server side include scripts.

Vulnerable Software Version

Attack Vectors

The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.

Properly configured TWiki sites that do not allow script execution in the pub directory are not affected.

Impact

Any version of TWiki since 01-Dec-2000 (and any other web based application that allows uploading of files which can be access directly from the webserver afterwards) is subject to attacks if the webserver has not been setup to not allow execution of scripts and programs.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-3336 to this vulnerability.

Details

How to reproduce - PHP example

  • Create a small file phpinfo.php.1 which only contains this one line script:
    <? phpinfo(); ?>
  • Upload this file to a TWiki topic.
  • Add this text to the TWiki topic:
    %ATTACHURL%/phpinfo.php.1
  • Click on the link to phpinfo.php.1
  • If your pub directory is not secured against running PHP scrips you will see a webpage with all sorts of details about your Apache and PHP. If your pub directory is secure you will only see <? phpinfo(); ?>

How to reproduce - Server Side Include example

  • Create a small file serverside.shtml which only contains this one line script:
    <!--#exec cmd="ls" -->
  • Upload this file to a TWiki topic.
  • Add this text to the TWiki topic:
    %ATTACHURL%/serverside.shtml
  • Click on the link to serverside.shtml
  • If your pub directory is not secured against running SSI scrips you will see a directory listing of the files in the directory. If it is safe you will only see a blank page.

Why this succeeds

Most Linux distributions are shipped with PHP enabled. PHP is loaded as a shared object. Either in httpd.conf or a file included from httpd.conf there are at least two lines looking like this:

LoadModule php4_module modules/libphp4.so 
AddType application/x-httpd-php .php

This causes any file with .php in the name to be regarded as a PHP program. Most people think the .php is only working when it is a suffix to a filename but it turns out that any file with a filename that contains the string .php is regarded a PHP program.

Same thing with server side includes and CGI script files.

The safest thing is to completely disable the execution of any kind of script language in the pub directory tree of your TWiki. TWiki provides the upload filter which renames files with certain strings in the filename by appending .txt. This is a 2nd level security measure and should not be the only security measure.

The hotfix attached to this security alert contains updated sample files for both Apache config file and .htaccess file which disables execution of PHP scripts, SSI scripts and CGI scripts in the pub directory.

The hotfix attached also changes the TWiki configuration so that TWiki appends .txt to the filename when you upload files that contain a string used by Apache extensions such as PHP and Python. However this assumes that .txt is setup in Apache to be plain text files.

Countermeasures

  • Apply the hotfix indicated below. The hotfix is only effective when both the uploadFilter and the Apache configs are secured. And the fix secures against execution of PHP, CGI and SSI type scripts. If you have installed other types of Apache modules that can execute files then you must ensure this is disabled in the entire pub directory tree.
  • Upgrade to the latest patched production release TWikiRelease04x00x04 (TWiki-4.0.4.zip)
  • Restrict access to the web pages served by TWiki.
  • Check your server for intrusion by checking already uploaded files that have names that could be executable files. Look for a user called ShubaShuba already known to have attacked TWiki installations.

Hotfixes

This next sections describes:

  • How to prevent script execution in the pub directory using httpd.
  • How to prevent script execution in the pub directory using lighttpd.
  • If you do not have access to the Apache config file, an alternative approach is described using .htaccess file.
  • A section describing how to prevent server side includes in the pub directory
  • Description of the improved upload filter
  • Hotfix downloads for TWiki 4 (containing all of above fixes)
  • Hotfix description for earlier versions of TWiki

Preventing script execution in the pub directory using httpd config

In order to prevent execution of any kind of scripts in the pub directory, your Apache config should contain these directives:

<Directory "/home/httpd/twiki/pub">
  Options None
  AllowOverride None
  Allow from all

  # If you have PHP4 or PHP5 installed make sure the directive 
  # below is enabled. If you do not have PHP installed you 
  # will need to comment out the directory below to avoid 
  # errors:
  php_admin_flag engine off

  # If you have PHP3 installed make sure the directive below is 
  # enabled:
  #php3_engine off

  # This line will redefine the mime type for the most common 
  # types of scripts. It will also deliver HTML files as if 
  # they are text files
  AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory> 

Preventing script execution in the pub directory using lighttpd.conf

In order to prevent execution of any kind of scripts in the pub directory, your lighttpd config should contain these directives:

$HTTP["url"] =~ "/twiki/pub.*\.(html|htm|shtml|php|php3|phtml|phtm|pl|py|cgi)" {
                          mimetype.assign = ( "" => "text/plain" )
}

In addition to this the following directives should be added to the lighttpd.conf file to explicitly restrict script execution to the twiki/bin directory.

## CGI module
# 
# Note: As the scripts in the twiki/bin directory  have by default no extension .pl
#          the directive cgi.assign = ( "" => "" ) causes the shebang line in the
#          script to be used.
# 
$HTTP["url"] =~ "^/twiki/bin/" {
           dir-listing.activate = "disable" 
           cgi.assign = ( "" => "" )
}

Preventing script execution in the pub directory using .htaccess file

When you do not have access to the Apache config files (typically with shared hosting and no root access) you will control access to directories using .htaccess files. In the root of the pub directory you must put a .htaccess file with minimum this protection:

# Sample '.htaccess' file for 'pub' subdirectory

# Allow all access
Allow from all

# Deny people from looking at the index and running SSI and CGI
Options None

# We need to protect the entire pub directory tree against any 
# kind of script execution. TWiki has a renaming protection 
# scheme that alters certain file names to prevent script 
# execution but it may not be 100% safe only to rely on this. 
# The safest protection is to disabled all scripting.

# If you have PHP4 or PHP5 installed make sure the directive 
# below is enabled. If you do not have PHP installed you will 
# need to comment out the directory below to avoid errors:
php_flag engine off

# If you have PHP3 installed make sure the directive below is 
# enabled:
#php3_engine off

# This line will redefine the mime type for the most common 
# types of scripts. It will also deliver HTML files as if they 
# are text files:
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

Preventing Server Side Includes and CGI scripts in the pub directory

Many Linux distributions are shipped with a httpd.conf that enables server side includes of files with suffix .shtml or .shtml.foo where foo can be any string.

In httpd.conf you often find settings that enable server side includes generally.

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

And similar you may have enabled execution of CGI scripts for files with suffix .cgi and/or .pl

AddHandler cgi-script .cgi
AddHandler cgi-script .pl

And unfortunately the example of a TWiki httpd config file that has been in the TWiki releases for years has shown the pub directory setup with Options +Includes and it should have said Options None so that both server side includes and CGI would be disabled in the entire pub directory.

It is important that the httpd config or .htaccess files in any TWiki installations are checked and if needed corrected so that server side includes are disabled. In the examples in the previous section the Options directive are shown correctly as they should be.

Renaming dangerous filenames when uploading

The attached hotfix alters the regular expression used for deciding when to append the suffix .txt to the filename of an uploaded file.

The new regex for {UploadFilter} in TWiki-4.0.x's configure is:

(?-xism:^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))$)

For earlier versions of TWiki $uploadFilter in TWiki.cfg should be set to:

$uploadFilter = "^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"

Hotfix for TWiki 4.0.0, 4.0.1, 4.0.2 and TWiki 4.0.3

Attached hotfix updates the lib/TWiki.cfg file so that .txt gets appended when you upload the most common scripts.

It also contains the updated template files for apache config and .htaccess. You will however need to update your actual Apache config file or .htaccess file on your TWiki installation. When you update the Apache config files you must remember to restart the Apache server (sudo ./apachectl grace).

Hotfix for TWiki 04-Sep-2004 and earlier

In order to protect earlier version of TWiki do the following:

  • In lib/TWiki.cfg find the setting $uploadFilter and change it to:
    $uploadFilter = "^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"
  • Download the CVE-2006-3336-hotfix-twiki403.zip and use the twiki_httpd_conf.txt and pub-htaccess.txt files as a template to update your current Apache configuration.

Authors and Credits

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2006-06-29 Done Tom McAdam
2. Developer verifies issue 2006-07-01 Done PeterThoeny
3. Developer creates fix 2006-07-03 Done KennethLavrsen
4. Developer creates hotfix for advisory 2006-07-04 Done KennethLavrsen
5. Developer creates TWiki release 4.0.4 2006-07-04 Done KennethLavrsen
6. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-07-05 Done PeterThoeny
7. Publish advisory in Codev web and update all related topics 2006-07-05 Done PeterThoeny
8. Release TWiki 4.0.4 on TWiki.org 2006-07-05 Done KennethLavrsen
9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-07-07   PeterThoeny

External Links

-- Contributors: PeterThoeny, KennethLavrsen - 05 Jul 2006

Discussions

Topic attachments
I Attachment History Action Size Date Who Comment
Compressed Zip archivezip CVE-2006-3336-hotfix-twiki400.zip r2 r1 manage 35.5 K 2006-07-04 - 20:25 KennethLavrsen Hotfix for TWiki-4.0.0
Compressed Zip archivezip CVE-2006-3336-hotfix-twiki401.zip r2 r1 manage 35.5 K 2006-07-04 - 20:25 KennethLavrsen Hotfix for TWiki-4.0.1
Compressed Zip archivezip CVE-2006-3336-hotfix-twiki402.zip r2 r1 manage 35.8 K 2006-07-04 - 20:26 KennethLavrsen Hotfix for TWiki-4.0.2
Compressed Zip archivezip CVE-2006-3336-hotfix-twiki403.zip r2 r1 manage 36.7 K 2006-07-04 - 20:26 KennethLavrsen Hotfix for TWiki-4.0.3
Edit | Attach | Watch | Print version | History: r20 < r19 < r18 < r17 < r16 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r20 - 2008-01-20 - HenkJanEnneman
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.