Final draft of e-mail re the search security hole
This is largely based on the email that
PeterThoeny sent out recently to people on
TWikiInstallations and the WebNotify topics, with an update for the TWiki security email list details and
SecurityTeam. It also announces the opt-in
TWikiAnnounceMailingList.
Please provide feedback below (release locks asap!) and/or on
TWikiIRC.
--
RichardDonkin - 25 Nov 2004
DRAFT of e-mail
* Subject: TWiki Security Alert and TWiki Security E-mail List
* From: TWiki Security Team <twiki-security@lists.sourceforge.net>
* Reply-To: TWiki Announcement Feedback <twiki-announce-fbk@lists.sourceforge.net>
the following is cut & pasted into a text Template File
Dear TWiki User,
We are emailing you about a high priority security vulnerability in
TWiki. Known TWiki site administrators have already been alerted, and
a public security advisory has been sent out. However, we did not reach
all administrators, and we now know that some public TWiki sites have
been cracked.
We are taking the unusual step of emailing a broader TWiki audience
to alert you and to announce an improved security alert process with a
mailing list. We will only be doing this once; all future security alerts
will be sent solely to those subscribed to the new opt-in mailing list.
You have received this mail because you:
* are a registered user at TWiki.org, or
* requested TWiki in the past and asked in the form to be
notified of new releases, or
* run a public TWiki site that Google could find
If you do not use TWiki, please ignore this email. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.
Even if you have fixed this vulnerability, you are strongly recommended
to join the new low-volume security announcement email list for TWiki
at http://lists.sourceforge.net/lists/listinfo/twiki-announce
Since this vulnerability is publicly announced and is being actively
exploited, you are encouraged to post this to email lists that you
think may be relevant. The alert has been sent out on some general
security email lists already, but without the TWiki security email
list information.
Table of Contents:
* Summary
* Vulnerable Software Versions
* Attack Vectors
* Impact
* Details
* Countermeasures
* What to do if You Think You May Have Been Cracked
* TWiki Announce And Security Email List
* New TWiki Release
* Authors And Credits
* How To Contact Us
* Hotfix
---++ Summary
TWiki's search feature allows arbitrary shell command execution - a web
server running TWiki can be compromised remotely.
---++ Vulnerable Software Versions
* TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip
* TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip
* TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip
* TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip
* Subversion repository linked from
http://twiki.org/cgi-bin/view/Codev/SubversionReadme
(up to and including revision 3224, fixed in revision 3225)
* All alpha and beta releases prior to 12 Nov 2004
---++ Attack Vectors
HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary. Possibly also HTTP POST,
but this is untested.
---++ Impact
A remote attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.
---++ Details
The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.
The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.
An example search string would be: "test_vulnerability '; ls -la'"
If access to TWiki is not restricted by other means, attackers can
use the search function without prior authentication.
More details can be found at
http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
---++ Countermeasures
The main countermeasure is to apply the hotfix (see patches at end of
this e-mail).
Temporary countermeasures if hotfix cannot be applied immediately:
* Filter access to the web server
* Use the web server software to restrict access to the web pages
served by TWiki
* For sites accessible to search engines, use Google temporarily
instead of normal searching, and remove execute permissions from
the 'search' script. See details at
http://twiki.org/cgi-bin/view/Codev/GoogleYourTWiki
---++ What to do if You Think You May Have Been Cracked
If your TWiki site is publicly accessible (on the Internet) there is
a risk that your site has been cracked. Visit
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports
to learn how other people detected intrisions and found cracking
attempts.
If your TWiki site was cracked and runs on Linux kernel 2.4, you should
also check for the installation of rootkits on your server - see
http://www.google.com/search?hl=en&q=rootkit+detect for some links,
e.g. http://www.chkrootkit.org/
---++ TWiki Announce And Security Email List
A new email list has been created to announce new TWiki releases and
to distribute security alerts quickly in the future. This low-volume
list is the best way to find out about and fix any future security
issues. It is highly recommended that TWiki site administrators sign
up to this now at http://lists.sourceforge.net/lists/listinfo/twiki-announce
- you can find more details at
http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
In addition, a TWiki security team has been created - any new
vulnerability should be reported to this team, which will ensure the
vulnerability is analysed, fixed, and patches + new releases distributed
as quickly as possible. Please see details at
http://twiki.org/cgi-bin/view/Codev/SecurityTeam
Our security alert process is documented at
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
---++ New TWiki Release
The latest TWiki Production Release 02-Sep-2004, aka CairoRelease,
is available for download. It is a major release replacing version
01-Feb-2003 and is proof against this security hole. You can download
the new release from http://TWiki.org/download.html - however, you
can of course just patch your current release if you prefer.
Major changes since TWiki 01-Feb-2003 release:
* Automatic upgrade script, and easier first-time installation
* Attractive new skins, using a standard set of CSS classes, and
a skin browser to help you choose
* New easier-to-use save options
* Many improvements to SEARCH
* Improved support for internationalisation
* Better topic management screens
* More pre-installed Plugins: CommentPlugin, EditTablePlugin,
RenderListPlugin, SlideShowPlugin, SmiliesPlugin,
SpreadSheetPlugin, TablePlugin
* Improved Plugins API and more Plugin callbacks
* Better support for different authentication methods
* Many user interface and usability improvements
* And many, many more enhancements
---++ Authors And Credits
Martin Cleaver, Crawford Currie, Richard Donkin, Sven Dowideit, Markus
Goetz, Sam Hasler, Joerg Hoh, Michael Holzt, Florian Laws, Colas Nahaboo,
Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny and Florian
Weimer all contributed to this advisory.
---++ How To Contact Us
Please do not reply to this e-mail. Please contact:
* twiki-announce-fbk@lists.sourceforge.net (TWiki Announcement
Feedback) if you have questions regarding this security alert
* Peter.Thoeny@attglobal.net if you have privacy questions or
concerns regarding this e-mail
* http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
for feedback on this vulnerability
* twiki-security@lists.sourceforge.net if you discovered a
vulnerability
* http://TWiki.org/cgi-bin/view/Support if you have support questions
* http://TWiki.org/cgi-bin/view/Codev to get involved in the community
* irc://irc.freenode.net/twiki for realtime communication with fellow
TWiki users and administrators. Details at
http://twiki.org/cgi-bin/view/Codev/TWikiIRC
Best regards,
TWiki Security Team
---++ Hotfix
----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004:
----------------------------------------------------------------------------
*** TWiki20040901/Search.pm 2004-11-12 11:54:47.000000000 -0800
--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
***************
*** 434,439 ****
--- 434,446 ----
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+ # vulnerability, search: "test_vulnerability '; ls -la'"
+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $( ... )
+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003:
----------------------------------------------------------------------------
*** TWiki20030201/Search.pm 2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+ # vulnerability, search: "test_vulnerability '; ls -la'"
+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $( ... )
+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001:
----------------------------------------------------------------------------
*** TWiki20011201/Search.pm 2004-11-12 12:15:55.000000000 -0800
--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
***************
*** 133,138 ****
--- 133,145 ----
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+ # vulnerability, search: "test_vulnerability '; ls -la'"
+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $( ... )
+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
--------------------------------------------------------------------------
Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000:
--------------------------------------------------------------------------
*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
--- ./wikisearch.pm 2004-11-12 12:23:07.000000000 -0800
***************
*** 117,122 ****
--- 117,129 ----
my $tempVal = "";
my $tmpl = "";
+
+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+ # vulnerability, search: "test_vulnerability '; ls -la'"
+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $( ... )
+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
if( $doBookView ) {
$tmpl = readTemplate( "searchbookview" );
} else {
------------------------------------------------------------------------
End patches
------------------------------------------------------------------------
Feedback
I've updated the email to point to the new
TWikiAnnounceMailingList and
SecurityTeam pages, and to point to
GoogleYourTWiki and some rootkit detection links.
-- RD
I did some editing, it is
not finalized yet.
What should the "From" address be?
--
PeterThoeny - 27 Nov 2004
The hole was left by the development team. The mail is coming from the development team. The development team needs to know what responses are received. So the mail should be From: the TWiki Development Team.
It would be really good if people could subscribe to the security mailing list just by "reply"ing to this mail.
--
CrawfordCurrie - 27 Nov 2004
I think the From address should be the security team (
SecurityTeam) email address - the core team is not all the developers, and the core team email list is not open to outside emails anyway. I believe the security team address is going to be
twiki-security@lists..
. It would be better as
security at twiki.org
but we probably can't do that with current hosting.
Note that we
should have finalised the security team's name and URL before we send this email, though if that's not ready we should send it anyway.
Given the way the email list is set up, replying to the email is not enough to subscribe (unless we make the From address
twiki-announce-request@...
). However, we should include a direct URL to the Mailman signup page, which I've done above, to reduce the number of steps to sign up. The
TWikiAnnounceMailingList link is in the main email list section as well.
I've also left off full stops (periods) from the end of URLs even where this is not good grammar...
--
RichardDonkin - 27 Nov 2004
right now the emails are from TWiki Security List <twiki-security@lists.sourceforge.net>, and there's a reply to TWiki Security List <twiki-security@lists.sourceforge.net>.
--
SvenDowideit - 27 Nov 2004
I've run this past
SpamAssassin 2.63 and have fixed two issues that might have got this filtered - the :8181 port on the
SVN URL (relocated to top
SubversionReadme), and the reference to 'one time mailing' (reworded to 'exceptional alert'). No
SpamAssassin rules are triggered, and the Bayesian score is highly non-spam.
For spam testing only, I will send out this draft to the
CoreTeam and a few developers.
Can anyone with different spam filters please test this themselves?
--
RichardDonkin - 27 Nov 2004
Shouldn't the affected release also state "All alpha and beta releases prior to
CairoRelease" ?
--
RafaelAlvarez - 27 Nov 2004
Probably should, though really it's all alphas and betas up to a specific date - i.e. the first beta post Cairo was end Oct and would also be vulnerable. If you can specify a date then we could add it at end of the list.
--
RichardDonkin - 27 Nov 2004
I reverted the "exceptional" back to "one-time". Reason: People are very concerned about spam. The "one-time mailing" indicates what it is.
Also, not sure if it is a good idea to use the security team as "reply to". Keep in mind that there will be many bounces because of invalid or rejected e-mail addresses. To give a figure, 10% of 30K means 3000 bounces. How about a
noreply@twiki.org
and indicate in the text how to reply?
I feel strongly that the mailer should be plain text only. The e-mail is large enough already; we do not have structure that requires
HTML; we can avoid broken links (as happened in test runs)
--
PeterThoeny - 27 Nov 2004
I created
twiki-security@listsPLEASENOSPAM.sourceforge.net, it will take a few hours to be activated.
--
PeterThoeny - 27 Nov 2004
I agree with Peter: This should be a text-only mail.
As for the betas, what about adding "all alpha and beta releases prior to 2004-11-12"
--
RafaelAlvarez - 27 Nov 2004
Added alpha and beta note.
Removed upper-case headings to reduce the chance that the alert gets spam trapped.
We only need to decide on the reply address, then we are ready to go.
--
PeterThoeny - 27 Nov 2004
added
TWikiIRC to the contact list as we've already helped out several people there with security questions
--
WillNorris - 27 Nov 2004
I prefer for us to get the 3000 bounces rather than have one person hit replyto, and not get their informatoin to us.
this is in the context that 3000 emails fewer emails than i get to my home address in a day, so it's not going to change anything for me
- to limit the problems, I could be the one to remain subsrcibed there, and we could turn off the logging..
quite agree about the
HTML, forgot to look at the size..
--
SvenDowideit - 27 Nov 2004
I created a
noreply@ntwiki.ethermage.net
alias on the ntwiki server. We can use that. It will go to an account on that sever. Or, shall we call the alias
announce-feedback@ntwiki.ethermage.net
? But that means we need to take actions on real replies. Sven, shall I forward the e-mail to you as well?
--
PeterThoeny - 27 Nov 2004
I think noreply is probably better - we could invite comments on the alert page perhaps?
Also, re the the 'one-time' revert - if you keep this exact wording, you will find
SpamAssassin gives a 2.6 score for spamminess (5.0 is normally the threshold for spam, and ISPs can customise scores). Rewording this in some other way in both places is best, e.g. 'once only' or exceptional or whatever - that's why I made the change after sending a lot of test emails through
SpamAssassin.
SpamAssassin is used by a lot of ISPs so the wrong wording may have an effect on how many emails get through. Spammers often use the 'one-time' wording which is why it scores so high.
--
RichardDonkin - 27 Nov 2004
Good points Richard. Changed accordingly.
--
PeterThoeny - 27 Nov 2004
I didn't think
once only fitted very well into that first sentence so I changed the wording.
I like the new wording for the following three reasons (Sorry, I've been watching far too many Sports Night re-runs):
- It emphasises the one time nature of the mail twice.
- It also emphasises the opt-in nature of the new mailing list and the need to subscribe.
- It uses a semi-colon (thanks will)
--
SamHasler - 28 Nov 2004
Thanks Sam.
After discussing with the core-team, I created a new list,
twiki-announce-fbk@lists.sourceforge.net
, that people can use to send feedback, and machines to send bounces.
--
PeterThoeny - 28 Nov 2004
Fixed typo in 'recieved' and other minor typos, changed From text to 'TWiki Security Team' and spam tested.
Result from
SpamAssassin is a low score of 0.2, which is fine, and Bayes score is low for those sites that enable this.
X-Spam-Report:
* 0.2 OPT_IN BODY: Talks about opting in (lowercase version)
--
RichardDonkin - 28 Nov 2004
Thanks Richard!
I separated out the feedback address (for questions regarding this security alert) and my address (for privacy questions/concerns). This makes it more personal.
We are ready to go.
--
PeterThoeny - 28 Nov 2004
This email went out on 28 Nov to many thousands of people who have provided email addresses on TWiki.org or were running Google-accessible TWiki sites. We now have over 300 members of the
TWikiAnnounceMailingList, largely as a result of this email.
--
RichardDonkin - 29 Nov 2004