Tags:
create new tag
view all tags

Final draft of e-mail re the search security hole

This is largely based on the email that PeterThoeny sent out recently to people on TWikiInstallations and the WebNotify topics, with an update for the TWiki security email list details and SecurityTeam. It also announces the opt-in TWikiAnnounceMailingList.

Please provide feedback below (release locks asap!) and/or on TWikiIRC.

-- RichardDonkin - 25 Nov 2004

DRAFT of e-mail

   * Subject: TWiki Security Alert and TWiki Security E-mail List
   * From: TWiki Security Team <twiki-security@lists.sourceforge.net>
   * Reply-To: TWiki Announcement Feedback <twiki-announce-fbk@lists.sourceforge.net>

the following is cut & pasted into a text Template File



Dear TWiki User,

We are emailing you about a high priority security vulnerability in 
TWiki. Known TWiki site administrators have already been alerted, and
a public security advisory has been sent out. However, we did not reach
all administrators, and we now know that some public TWiki sites have
been cracked.

We are taking the unusual step of emailing a broader TWiki audience
to alert you and to announce an improved security alert process with a
mailing list. We will only be doing this once; all future security alerts
will be sent solely to those subscribed to the new opt-in mailing list.
You have received this mail because you:

   * are a registered user at TWiki.org, or
   * requested TWiki in the past and asked in the form to be
     notified of new releases, or
   * run a public TWiki site that Google could find

If you do not use TWiki, please ignore this email. If you don't 
administer your TWiki site, or started a site now administered by 
someone else, please pass it to the current TWiki site administrator.

Even if you have fixed this vulnerability, you are strongly recommended 
to join the new low-volume security announcement email list for TWiki 
at http://lists.sourceforge.net/lists/listinfo/twiki-announce

Since this vulnerability is publicly announced and is being actively 
exploited, you are encouraged to post this to email lists that you 
think may be relevant.  The alert has been sent out on some general 
security email lists already, but without the TWiki security email 
list information.

Table of Contents:

   * Summary
   * Vulnerable Software Versions
   * Attack Vectors
   * Impact
   * Details
   * Countermeasures
   * What to do if You Think You May Have Been Cracked
   * TWiki Announce And Security Email List
   * New TWiki Release
   * Authors And Credits
   * How To Contact Us
   * Hotfix

---++ Summary

TWiki's search feature allows arbitrary shell command execution - a web 
server running TWiki can be compromised remotely.


---++ Vulnerable Software Versions

   * TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip
   * TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip
   * TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip
   * TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip
   * Subversion repository linked from
     http://twiki.org/cgi-bin/view/Codev/SubversionReadme
     (up to and including revision 3224, fixed in revision 3225)
   * All alpha and beta releases prior to 12 Nov 2004

---++ Attack Vectors

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary. Possibly also HTTP POST, 
but this is untested.


---++ Impact

A remote attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.


---++ Details

The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.

An example search string would be: "test_vulnerability '; ls -la'"

If access to TWiki is not restricted by other means, attackers can
use the search function without prior authentication.

More details can be found at
http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch


---++ Countermeasures

The main countermeasure is to apply the hotfix (see patches at end of 
this e-mail).

Temporary countermeasures if hotfix cannot be applied immediately:

   * Filter access to the web server
   * Use the web server software to restrict access to the web pages 
     served by TWiki
   * For sites accessible to search engines, use Google temporarily
     instead of normal searching, and remove execute permissions from
     the 'search' script. See details at
     http://twiki.org/cgi-bin/view/Codev/GoogleYourTWiki 


---++ What to do if You Think You May Have Been Cracked

If your TWiki site is publicly accessible (on the Internet) there is 
a risk that your site has been cracked. Visit 
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports
to learn how other people detected intrisions and found cracking 
attempts. 

If your TWiki site was cracked and runs on Linux kernel 2.4, you should 
also check for the installation of rootkits on your server - see 
http://www.google.com/search?hl=en&q=rootkit+detect for some links, 
e.g. http://www.chkrootkit.org/


---++ TWiki Announce And Security Email List

A new email list has been created to announce new TWiki releases and
to distribute security alerts quickly in the future. This low-volume 
list is the best way to find out about and fix any future security 
issues. It is highly recommended that TWiki site administrators sign 
up to this now at http://lists.sourceforge.net/lists/listinfo/twiki-announce
- you can find more details at 
http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList

In addition, a TWiki security team has been created - any new 
vulnerability should be reported to this team, which will ensure the 
vulnerability is analysed, fixed, and patches + new releases distributed
as quickly as possible.  Please see details at 
http://twiki.org/cgi-bin/view/Codev/SecurityTeam

Our security alert process is documented at
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess


---++ New TWiki Release

The latest TWiki Production Release 02-Sep-2004, aka CairoRelease,
is available for download. It is a major release replacing version 
01-Feb-2003 and is proof against this security hole. You can download 
the new release from http://TWiki.org/download.html - however, you 
can of course just patch your current release if you prefer.

Major changes since TWiki 01-Feb-2003 release:

   * Automatic upgrade script, and easier first-time installation
   * Attractive new skins, using a standard set of CSS classes, and
     a skin browser to help you choose
   * New easier-to-use save options
   * Many improvements to SEARCH
   * Improved support for internationalisation
   * Better topic management screens
   * More pre-installed Plugins: CommentPlugin, EditTablePlugin,
     RenderListPlugin, SlideShowPlugin, SmiliesPlugin,
     SpreadSheetPlugin, TablePlugin
   * Improved Plugins API and more Plugin callbacks
   * Better support for different authentication methods
   * Many user interface and usability improvements
   * And many, many more enhancements


---++ Authors And Credits

Martin Cleaver, Crawford Currie, Richard Donkin, Sven Dowideit, Markus 
Goetz, Sam Hasler, Joerg Hoh, Michael Holzt, Florian Laws, Colas Nahaboo,
Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny and Florian
Weimer all contributed to this advisory.


---++ How To Contact Us

Please do not reply to this e-mail. Please contact:

   * twiki-announce-fbk@lists.sourceforge.net (TWiki Announcement
     Feedback) if you have questions regarding this security alert
   * Peter.Thoeny@attglobal.net if you have privacy questions or 
     concerns regarding this e-mail
   * http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
     for feedback on this vulnerability
   * twiki-security@lists.sourceforge.net if you discovered a
     vulnerability
   * http://TWiki.org/cgi-bin/view/Support if you have support questions
   * http://TWiki.org/cgi-bin/view/Codev to get involved in the community
   * irc://irc.freenode.net/twiki for realtime communication with fellow 
     TWiki users and administrators. Details at 
     http://twiki.org/cgi-bin/view/Codev/TWikiIRC

Best regards,

TWiki Security Team

---++ Hotfix

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004:
----------------------------------------------------------------------------

*** TWiki20040901/Search.pm  2004-11-12 11:54:47.000000000 -0800
--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
***************
*** 434,439 ****
--- 434,446 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) and $( ... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003:
----------------------------------------------------------------------------

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) and $( ... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001:
----------------------------------------------------------------------------

*** TWiki20011201/Search.pm     2004-11-12 12:15:55.000000000 -0800
--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
***************
*** 133,138 ****
--- 133,145 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) and $( ... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

--------------------------------------------------------------------------
Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000:
--------------------------------------------------------------------------

*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
--- ./wikisearch.pm     2004-11-12 12:23:07.000000000 -0800
***************
*** 117,122 ****
--- 117,129 ----

      my $tempVal = "";
      my $tmpl = "";
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/[\@\$]\(/$1\\\(/g;           # Defuse @( ... ) and $( ... )
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
      if( $doBookView ) {
          $tmpl = readTemplate( "searchbookview" );
      } else {

------------------------------------------------------------------------
End patches
------------------------------------------------------------------------

Feedback

I've updated the email to point to the new TWikiAnnounceMailingList and SecurityTeam pages, and to point to GoogleYourTWiki and some rootkit detection links.

-- RD

I did some editing, it is not finalized yet.

What should the "From" address be?

-- PeterThoeny - 27 Nov 2004

The hole was left by the development team. The mail is coming from the development team. The development team needs to know what responses are received. So the mail should be From: the TWiki Development Team.

It would be really good if people could subscribe to the security mailing list just by "reply"ing to this mail.

-- CrawfordCurrie - 27 Nov 2004

I think the From address should be the security team (SecurityTeam) email address - the core team is not all the developers, and the core team email list is not open to outside emails anyway. I believe the security team address is going to be twiki-security@lists... It would be better as security at twiki.org but we probably can't do that with current hosting.

Note that we should have finalised the security team's name and URL before we send this email, though if that's not ready we should send it anyway.

Given the way the email list is set up, replying to the email is not enough to subscribe (unless we make the From address twiki-announce-request@...). However, we should include a direct URL to the Mailman signup page, which I've done above, to reduce the number of steps to sign up. The TWikiAnnounceMailingList link is in the main email list section as well.

I've also left off full stops (periods) from the end of URLs even where this is not good grammar...

-- RichardDonkin - 27 Nov 2004

right now the emails are from TWiki Security List <twiki-security@lists.sourceforge.net>, and there's a reply to TWiki Security List <twiki-security@lists.sourceforge.net>.

-- SvenDowideit - 27 Nov 2004

I've run this past SpamAssassin 2.63 and have fixed two issues that might have got this filtered - the :8181 port on the SVN URL (relocated to top SubversionReadme), and the reference to 'one time mailing' (reworded to 'exceptional alert'). No SpamAssassin rules are triggered, and the Bayesian score is highly non-spam.

For spam testing only, I will send out this draft to the CoreTeam and a few developers. Can anyone with different spam filters please test this themselves?

-- RichardDonkin - 27 Nov 2004

Shouldn't the affected release also state "All alpha and beta releases prior to CairoRelease" ?

-- RafaelAlvarez - 27 Nov 2004

Probably should, though really it's all alphas and betas up to a specific date - i.e. the first beta post Cairo was end Oct and would also be vulnerable. If you can specify a date then we could add it at end of the list.

-- RichardDonkin - 27 Nov 2004

I reverted the "exceptional" back to "one-time". Reason: People are very concerned about spam. The "one-time mailing" indicates what it is.

Also, not sure if it is a good idea to use the security team as "reply to". Keep in mind that there will be many bounces because of invalid or rejected e-mail addresses. To give a figure, 10% of 30K means 3000 bounces. How about a noreply@twiki.org and indicate in the text how to reply?

I feel strongly that the mailer should be plain text only. The e-mail is large enough already; we do not have structure that requires HTML; we can avoid broken links (as happened in test runs)

-- PeterThoeny - 27 Nov 2004

I created twiki-security@listsPLEASENOSPAM.sourceforge.net, it will take a few hours to be activated.

-- PeterThoeny - 27 Nov 2004

I agree with Peter: This should be a text-only mail.

As for the betas, what about adding "all alpha and beta releases prior to 2004-11-12"

-- RafaelAlvarez - 27 Nov 2004

Added alpha and beta note.

Removed upper-case headings to reduce the chance that the alert gets spam trapped.

We only need to decide on the reply address, then we are ready to go.

-- PeterThoeny - 27 Nov 2004

added TWikiIRC to the contact list as we've already helped out several people there with security questions

-- WillNorris - 27 Nov 2004

I prefer for us to get the 3000 bounces rather than have one person hit replyto, and not get their informatoin to us.

this is in the context that 3000 emails fewer emails than i get to my home address in a day, so it's not going to change anything for me smile - to limit the problems, I could be the one to remain subsrcibed there, and we could turn off the logging..

quite agree about the HTML, forgot to look at the size..

-- SvenDowideit - 27 Nov 2004

I created a noreply@ntwiki.ethermage.net alias on the ntwiki server. We can use that. It will go to an account on that sever. Or, shall we call the alias announce-feedback@ntwiki.ethermage.net? But that means we need to take actions on real replies. Sven, shall I forward the e-mail to you as well?

-- PeterThoeny - 27 Nov 2004

I think noreply is probably better - we could invite comments on the alert page perhaps?

Also, re the the 'one-time' revert - if you keep this exact wording, you will find SpamAssassin gives a 2.6 score for spamminess (5.0 is normally the threshold for spam, and ISPs can customise scores). Rewording this in some other way in both places is best, e.g. 'once only' or exceptional or whatever - that's why I made the change after sending a lot of test emails through SpamAssassin. SpamAssassin is used by a lot of ISPs so the wrong wording may have an effect on how many emails get through. Spammers often use the 'one-time' wording which is why it scores so high.

-- RichardDonkin - 27 Nov 2004

Good points Richard. Changed accordingly.

-- PeterThoeny - 27 Nov 2004

I didn't think once only fitted very well into that first sentence so I changed the wording. I like the new wording for the following three reasons (Sorry, I've been watching far too many Sports Night re-runs):

  1. It emphasises the one time nature of the mail twice.
  2. It also emphasises the opt-in nature of the new mailing list and the need to subscribe.
  3. It uses a semi-colon smile (thanks will)

-- SamHasler - 28 Nov 2004

Thanks Sam.

After discussing with the core-team, I created a new list, twiki-announce-fbk@lists.sourceforge.net, that people can use to send feedback, and machines to send bounces.

-- PeterThoeny - 28 Nov 2004

Fixed typo in 'recieved' and other minor typos, changed From text to 'TWiki Security Team' and spam tested.

Result from SpamAssassin is a low score of 0.2, which is fine, and Bayes score is low for those sites that enable this.

X-Spam-Report: 
   *  0.2 OPT_IN BODY: Talks about opting in (lowercase version)

-- RichardDonkin - 28 Nov 2004

Thanks Richard!

I separated out the feedback address (for questions regarding this security alert) and my address (for privacy questions/concerns). This makes it more personal.

We are ready to go.

-- PeterThoeny - 28 Nov 2004

This email went out on 28 Nov to many thousands of people who have provided email addresses on TWiki.org or were running Google-accessible TWiki sites. We now have over 300 members of the TWikiAnnounceMailingList, largely as a result of this email.

-- RichardDonkin - 29 Nov 2004

Edit | Attach | Watch | Print version | History: r31 < r30 < r29 < r28 < r27 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r31 - 2004-11-29 - RichardDonkin
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.