Tags:
create new tag
, view all tags

TWiki User Organization Script Insertion Vulnerability - False Alarm 2012-01-31

Reports on a "TWiki User Organization Script Insertion Vulnerability" surfaced on 2012-01-31. The SecurityTeam triaged this report based on our TWikiSecurityAlertProcess and concluded that this is a false alarm, e.g. it can safely be ignored.

Example Secunia Advisory SA47784:

Sony [a user, not the company] has discovered a vulnerability in TWiki, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via the Organization field when registering or editing a user is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

The vulnerability is confirmed in version 5.1.1. Other versions may also be affected.

Details

TWiki supports HTML, CSS, JavaScript in TWiki pages and TWiki form fields. This is a feature, e.g. done by design so that application developers can create TWiki applications. TWiki supports user registration where name, company name and other fields are specified in the registration form. It is possible to add HTML/CSS/JavaScript in some of those forms and they get saved as such. Any user who is looking at a user profile page will see that HTML/CSS/JavaScript. This code is executed as the user who is looking at the page, e.g. there XSS that is executed as a different user.

The user Sony who reported this case used this example in the "Organization" form filed:

  ><script>alert("Knock Knock..Security is an illusion..by Sony http://example.com")</script>
<iframe width="560" height="315" src="http://www.youtube.com/embed/YyE41IpYaA8" frameborder="0" allowfullscreen></iframe>

TWiki stores this escaped as meta data in the profile page:

  %META:FIELD{
    name="Organization"
    attributes="H"  
    title="Organization"
    value="><script>alert(%22Knock Knock..Security is an illusion..by Sony http://example.com%22)</script>
<iframe width=%22560%22 height=%22315%22 src=%22http://www.youtube.com/embed/YyE41IpYaA8%22 frameborder=%220%22 allowfullscreen></iframe>"
  }%

This is the HTML TWiki generates when looking at the profile page:

  &gt;<script>alert("Knock Knock..Security is an illusion..by Sony http://example.com")</script>
<iframe width="560" height="315" src="http://www.youtube.com/embed/YyE41IpYaA8" frameborder="0" allowfullscreen></iframe>

As you can see, TWiki passes valid HTML/CSS/JS along to the browser, which is exactly the expected output. The initial ">" gets escaped, the text following that character is shown as entered.

Even though this is spec, TWiki could be enhanced to filter out some characters in the registration screen.

External References:

-- Contributors: PeterThoeny - 2012-02-01

Discussion

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2012-02-23 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.