Tags:
security1Add my vote for this tag create new tag
, view all tags

Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings (CVE-2006-1386)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki 4.0 installation: The rdiff and preview scripts ignore access control settings, allowing unautorized users to view restricted content.

Vulnerable Software Version

Attack Vectors

With obscure use of the rdiff and preview scripts it is possible to view access restricted content.

Impact

An unautorized user can view access restricted areas and gain access to confidential content in TWiki topics.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-1386 to this vulnerability.

Details

To reproduce the rdiff vulnerability:

Add this to an existing topic:

  • Set DENYTOPICVIEW = Main.YourWikiName

View the topic. You will be denied view. Now edit the URL and replace view with rdiff. Now you can see the most recent changes, even those done after the DENYTOPICVIEW was added.

To reproduce the preview vulnerability:

An unauthorized user can access a restricted web by using the preview script instead of the view script. Example URL to access the restricted web called Secret:

http://wiki.example.com/bin/preview/Secret/WebHome?action=foo

Countermeasures

  • Apply hotfix
  • Upgrade to TWiki 4.0.2 (to be released in a few days)

Authors and Credits

Hotfix for TWiki 4.0.0 and TWiki 4.0.1

Hotfix for rdiff script:

In file twiki/lib/TWiki/UI/RDiff.pm, find sub diff. 10 lines lower in the file you will find the following line:

    TWiki::UI::checkTopicExists( $session, $webName, $topic, 'diff' );

Add the following line immediately after it:

    TWiki::UI::checkAccess( $session, $webName, $topic, 'view', $session->{user} );

Hotfix for preview script:

In file twiki/lib/TWiki/UI/Save.pm find the following lines:

    if( $topicExists ) {
        ( $prevMeta, $prevText ) =
          $store->readTopic( undef, $webName, $topic, undef );
        if( $prevMeta ) {
            foreach my $k ( keys %$prevMeta ) {

Change the call to 'readTopic' to:

          $store->readTopic( $user, $webName, $topic, undef );

Action Plan with Timeline

# Action Date Status Who
1. User discloses rdiff issue publicly to TWiki bug tracker 2006-03-21 Done SergejZagursky
2. Developer verifies rdiff issue and creates a fix 2006-03-21 Done CrawfordCurrie
4. Developer discloses preview issue publicly to TWiki bug tracker 2006-03-22 Done SteffenPoulsen
5. Developer verifies preview issue and creates a fix 2006-03-22 Done CrawfordCurrie
6. Developer creates hotfix 2006-03-24 Done CrawfordCurrie
7. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-03-24 Done PeterThoeny
8. Publish advisory in Codev web and update all related topics 2006-03-25 Done PeterThoeny
9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-03-25 Done PeterThoeny

Note: A silent alert was not done because the vulerabilities were already made public in the TWiki bug database at Bugs:WebHome on 2006-03-21 and 2006-03-23, respectively.

External Links

-- Contributors: PeterThoeny, CrawfordCurrie, SteffenPoulsen, JasonHill - 24 Mar 2006

Discussions

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatdiff CVE-2006-1386_UI_RDiff_pm.diff r1 manage 0.5 K 2006-03-25 - 07:30 PeterThoeny Hotfix for twiki/lib/TWiki/UI/RDiff.pm, TWiki 4.0.1
Unknown file formatdiff CVE-2006-1386_UI_Save_pm.diff r1 manage 0.5 K 2006-03-25 - 07:31 PeterThoeny Hotfix for twiki/lib/TWiki/UI/Save.pm, TWiki 4.0.1
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2006-03-30 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.