Tags:
security1Add my vote for this tag create new tag
, view all tags

Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki 4.0 installation: Unauthorized user may gain TWiki admin group privileges with a custom registration form.

NOTE: Please review our revised TWiki security alert process, http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess

Vulnerable Software Version

Attack Vectors

TWiki's registration process can be invoked with a crafted version of the original HTML form in which the action attribute of the form element has been modified to point to the Sandbox web instead of the user web. In this case, TWiki's validation fails to correctly check whether the wikiname of the user has already been registered. The wikiname's user topic is looked for in the web as given by the action attribute instead of the user web.

An attacker can use this to register with his own login name, stealing a wiki name which has already been registered.

Impact

In a TWiki where login names are allowed, an attacker can snatch the WikiName of a known member of the TWikiAdminGroup and associate it with his own login name. After login, the attacker can act with the privileges of TWikiAdminGroup, i.e. unlimited access with regard to the TWiki topics.

Even if there is no known threat to TWiki 4 installations with {MapUserToWikiName} flag unchecked in configure, it is recommended that all TWiki 4 installations have this hotfix installed so that the registration code is clean and safe from further exploits.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-2942 to this vulnerability.

Details

How to reproduce

Take a copy of the HTML version of TWikiRegistration, and change the action parameter in the form from ...bin/register/Main/WebHome to .../bin/register/Sandbox/WebHome. Using the modified form, register with the WikiName of a member of the TWikiAdminGroup, but provide the attacker's login name.

The registration "succeeds" to a sufficient extent: TWiki creates a new "personal homepage" for the attacker in the Sandbox web, but this doesn't matter. TWikiUsers is changed, and is now showing the attacker's login name next to the administrator's WikiName.

Why this succeeds

During the registration process, the code "verifies" the form data, and during this verification process tries to check whether the user home page exists. However, when doing so, it does not refer explicitly to the users web. The offending line is:

    if($session->{store}->topicExists( $data->{webName}, $data->{WikiName} )) {
In this line, and again when trying to create the user home page, TWiki should under no circumstances rely on the data provided by the query, but always use $TWiki::cfg{UsersWebName}.

Countermeasures

  • Apply hotfix
  • Upgrade to TWiki 4.0.3 (to be released in a few days)

Authors and Credits

Hotfix for TWiki 4.0.0, 4.0.1 and TWiki 4.0.2

Hotfix for all released versions of TWiki 4.0.X has been attached to this security alert topic. The hot fix updates one single file: lib/TWiki/UI/Register.pm. The hot fix is provided in two formats: Patch file or a new replacement Register.pm file. The patch file is the best option if you have altered the TWiki code yourself. The replacement file is the simpler choice for most. All you need to do is replace the file provided.

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2006-06-09 Done HaraldJoerg
2. Developer verifies issue 2006-06-09 Done CrawfordCurrie
3. Developer creates fix 2006-06-09 Done HaraldJoerg
4. Developer creates hotfix for advisory 2006-06-12 Done KennethLavrsen
5. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-06-13 Done PeterThoeny
6. Publish advisory in Codev web and update all related topics 2006-06-13 Done PeterThoeny
7. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-06-16 Done PeterThoeny

External Links

-- Contributors: HaraldJoerg, CrawfordCurrie, PeterThoeny, KennethLavrsen - 13 Jun 2006

Discussions

Note : I think that it would be great to have an easy way for administrators to check if their installation is running a specific vulnerable release, like displaying a major number instead of the build date present in %WIKIVERSION% nowadays ...
Anyway, at present, I see a way to check as looking at the value of %WIKIVERSION% displayed at the bottom of the TWiki.WebHome topic, which should be "Fri, 31 Mar 2006 build 9626" for TWikiRelease04x00x02 (if I got it right).

-- OlivierBerger - 13 Jun 2006

From TWiki-4.0.4 Hotfix 2 the actual version is also displayed.

-- KennethLavrsen - 27 Jul 2006

Topic attachments
I Attachment History Action Size Date Who Comment
Compressed Zip archivezip CVE-2006-2942-Register.pm-4.0.0-4.0.1.zip r1 manage 11.9 K 2006-06-12 - 20:52 KennethLavrsen Replacement for lib/TWiki/UI/Register.pm in TWiki 4.0.0 and 4.0.1
Compressed Zip archivezip CVE-2006-2942-Register.pm-4.0.2.zip r1 manage 11.9 K 2006-06-12 - 20:52 KennethLavrsen Replacement for lib/TWiki/UI/Register.pm in TWiki 4.0.2
Unknown file formatdiff CVE-2006-2942-hotfix-4.0.0-4.0.2.diff r1 manage 3.2 K 2006-06-12 - 20:50 KennethLavrsen Patch file for TWiki 4.0.0, 4.0.1 and 4.0.2
Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r14 - 2006-07-27 - KennethLavrsen
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.