create new tag
, view all tags

Security Alert: Robustness patch for TWiki; vulnerability in ImageGalleryPlugin

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

Communication to twiki-announce

Dear TWiki administrator,

This is a TWiki security alert that provides:

  • a patch to make TWiki Release 01/02 Sep 2004 more robust, and
  • a patch for the ImageGalleryPlugin to fix a severe security issue

This advisory has already been publicly announced by Florian Weimer, therefore it is recommended to take actions ASAP if you are running TWiki on a public web site. Thank you Florian for providing an extensive robustness patch.

Since the advisory has been released uncoordinated, not following our documented security alert process at http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess , we could not verify that the suggested robustness patch works in all environments where TWiki is being deployed. We learned that this patch does not work on Windows, nor on Perl older then 5.6. The patch has been successfully tested on:

  • Red Hat Enterprise Linux AS release 3 (Taroon Update 4) with Perl 5.8.0
  • Debian GNU/Linux woody with Perl 5.6.1
  • SuSe 9.0 with Perl 5.8.0

Please watch this topic at http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005 for follow-up on this alert.

Best regards,
Peter@ThoenyPLEASENOSPAM.com - TWiki.org

-- PeterThoeny - 25 Feb 2005

-------- Original Message --------
Subject: [TWiki-Dev] Robustness patch for TWiki, vulnerability in ImageGalleryPlugin
Date: Wed, 23 Feb 2005 18:27:41 +0100
From: Florian Weimer fw@denebPLEASENOSPAM.enyo.de
To: security-announce@listsPLEASENOSPAM.enyo.de, full-disclosure@listsPLEASENOSPAM.netsys.com, bugtraq@securityfocusPLEASENOSPAM.com, vulnwatch@vulnwatchPLEASENOSPAM.org, twiki-dev@listsPLEASENOSPAM.sourceforge.net

* TWiki robustness patch

After CAN-2004-1037 was discovered in November 2004, I wrote a patch which systematically replaces unsafe subprocess invocation constructs in the TWiki source code. This patch was published, submitted to the TWiki developers, and they ported it into the DEVELOP branch:


(A TWiki release which incorporates the changes from the DEVELOP branch is still pending.)

The TWiki robustness patch should fix all shell command injection vulnerabilities, once and for all. It also attempts to prevent directory traversal attacks, but I'm less confident that I have plugged all potential holes. (However, I'm not aware of any directory traversal vulnerabilities in TWiki, with or without this patch.)

Due to certain circumstances which I'm not at liberty to disclose at this point, it is STRONGLY RECOMMENDED to apply the patch to any TWiki installation which is accessible from untrusted networks. The patch needs some changes to TWiki.cfg; please read the web page mentioned above and the enclosed README file carefully.

* ImageGalleryPlugin security issue

ImageGalleryPlugin does not properly guard its configuration options against unauthorized changes, in particular parts of the ImageMagick commands used to generate thumbnails. As a result, it's possible for anyone who is able to create or edit topics with image galleries to execute arbitrary shell commands on the web server hosting the affected TWiki installation.

A patch for this issue is available from the same URL as above:


The patch depends on the TWiki robustness patch. Some configuration changes are required (as explained on the web page).

Vulnerability timeline (for the ImageGalleryPlugin issue):

  2004-11-27 bug discovered and disclosed to the TWiki core developers
  2004-11-29 sent patch to the TWiki core developers
  2004-11-30 sent bug notice and patch to the plugin author
  2004-12-26 sent reminder (and patch) to the TWiki security team
  2005-02-17 sent second reminder, pending disclosure (no reply)
  2005-02-23 uncoordinated public disclosure

-- Florian Weimer - 23 Feb 2005

(-- KennethLavrsen - 25 Feb 2005 - Added the forgotten last past of the original email - see comment below)


Known issues with the robustness patch:

-- PeterThoeny - 25 Feb 2005


For those new to applying a patch:

To patch TWikiRelease01Sep2004 or TWikiRelease02Sep2004, download GNU Patch (linked from PatchGuidelines) - then cd to the TWiki root directory and then run patch -i twiki-robustness-r3342.diff

-- PeterThoeny - 25 Feb 2005

QUESTION? What are the patch procedures / implications for TWikiRelease01Feb2003 ? -- KeithHelfrich - 25 Feb 2005

The README instructions indicate that TWiki.cfg should be updated, but the patch already updates it. Are the instructions incorrect?

-- DiabJerius - 25 Feb 2005

I just downloaded the latest gnu patch (2.5.4), but I am still having difficulty applying the patch. Patch asks for each file. Is there an incompatibility between the diff generated by Florian and gnu patch?

# /usr/local/bin/patch --dry-run  -i twiki-robustness-r3342.diff
patching file README.robustness
patching file 20robustness.t
can't find file to patch at input line 143
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
|=== lib/TWiki.pm
|--- lib/TWiki.pm   (/twiki/trunk)   (revision 287)
|+++ lib/TWiki.pm   (/twiki/branches/robustness)   (revision 287)
# ls lib/TWiki.pm
# /usr/local/bin/patch --version
patch 2.5.4
Copyright 1984-1988 Larry Wall
Copyright 1989-1999 Free Software Foundation, Inc.

  • You probably need to add -p0 to the patch command line, to make it ignore paths in the patch file. I did.

-- NicholasSushkin - 25 Feb 2005

You may want to simply disable ImageGalleryPlugin until I post a new version (within the next 24 hours); the new version uses CPAN:Image::Magick directly instead of the shell.

-- WillNorris - 25 Feb 2005

I successfully patched Cairo TWikiRelease02Sep2004 with some extra fixes added by hand using this patch command

  • copy patch file to the root twiki folder.
  • run: patch -p0 < twiki-robustness-3342.diff

After this you should additionally fix this small problem: SecurityPatchBreaksAttachmentWithoutComment

In reality there is no need to panic if you have a TWiki without the ImageGalleryPlugin. But if you have the ImageGalleryPlugin installed either patch your TWiki as described or simply remove it if you do not really use it anyway.

You forgot to include the important last part of Florians original email (Vulnerability timeline). I added it because it teaches us who really did not follow the documented TWikiSecurityAlertProcess.

-- KennethLavrsen - 25 Feb 2005

QUESTION? Is the patch for Access.pm correct? i got patching file lib/TWiki/Access.pm Reversed (or previously applied) patch detected! Assume -R? [n] on a debian-sarge release of TWikiRelease02Sep2004. My guess is that sarge has probably already applied some earlier patch, so there's definitely no need to undo it. In other words, is the part

if ($2 =~ /\S/ && !@allowList) {
etc. supposed to be present? -- BoudRoukema - 27 Feb 2005

Will, how are you getting on with a new release of the plugin?

-- MartinCleaver - 28 Feb 2005

Is there going to be a production release after 7 days, per the TWikiSecurityAlertProcess? 7 days from the advisory was yesterday, but maybe we're counting from Friday? I'm just concerned because nothing's been posted so far.

-- KyleMaxwell - 03 Mar 2005

For important security updates such as this, it seems that it would much more helpful to post the pre-patched components rather than requiring folks to download a diff and go through the process of applying it.

-- LynnwoodBrown - 11 Mar 2005

This patch seems important, yet there's no mention of it on TWikiSecurityAlerts. Shouldn't things like this get at least some sort of a mention in the obvious places?

-- MarcusLeonard - 12 Mar 2005

Yes, you are right, does anyone want to volunteer to join the TWikiSecurity group? The core group is stretched too thin, so we need help!

  • I am willing to volunteer for the TWikiSecurity group for the specific task of applying diffs to affected components and posting them as zipped archive. It's a small thing (within my skill level) but one which would facilitate faster application of fixes. -- LynnwoodBrown - 17 Mar 2005

-- SvenDowideit - 12 Mar 2005

Still rejecting some of the fixes:

piccolbo:/var/www/html/twiki$ sudo patch -p0 -i ~/install/twikipatch.diff
patching file README.robustness
patching file t/20robustness.t
patching file lib/TWiki.pm
Hunk #1 succeeded at 3202 (offset -10 lines).
patching file lib/TWiki.cfg
Hunk #1 FAILED at 192.
Hunk #2 FAILED at 305.
2 out of 2 hunks FAILED -- saving rejects to file lib/TWiki.cfg.rej
patching file lib/TWiki/Search.pm
patching file lib/TWiki/Store/RcsLite.pm
patching file lib/TWiki/Store/RcsWrap.pm
patching file lib/TWiki/Func.pm
Hunk #1 succeeded at 847 (offset -1 lines).
patching file lib/TWiki/Store.pm
Hunk #5 succeeded at 1736 (offset 8 lines).
patching file lib/TWiki/Access.pm
patching file lib/TWiki/UI/Upload.pm
patching file bin/manage

-- AntonioPiccolboni - 17 Mar 2005

The failures were in TWiki.cfg, which you probably modified locally. You should manually resolve the changes to TWiki.cfg. It's very simple to do.

-- CrawfordCurrie - 17 Mar 2005

I'd be interested in assisting the security group with further security reviews and patch evaluation. My address is in my profile if I can be of assistance.

-- KyleMaxwell - 21 Mar 2005

The robustness patch may lead to problems if usernames/ids are longer than 30 characters.

For instance in our installation, we use emails as user's login names in twiki... and several of them are longer than 30 characters.

I suggest that the 0,30 limit be replaced by 0,50 in the following patch line :

+             if ($param =~ /^([0-9A-Za-z.+_\-]{0,30})$/) {

-- OlivierBerger - 23 Mar 2005

Can we get a replacement for TWikiRelease02Sep2004 out? I note that the forthcoming IGP requires either this patch installed or Dakar.

-- MartinCleaver - 24 Apr 2005

Edit | Attach | Watch | Print version | History: r22 < r21 < r20 < r19 < r18 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r22 - 2005-04-24 - MartinCleaver
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.