Subject: TWiki security alert: Execution of shell Commands with search Date: Fri, 12 Nov 2004 17:08:22 -0800 From: Peter Thoeny To: "Known TWiki admins at TWiki.org" ---+ SECURITY ALERT You (or someone for you) listed your TWiki installation at TWiki.org, or you are in a WebNotify list on TWiki.org. This e-mail is alerting you of a potential vulnerability in your TWiki installation. Please excuse the wide distribution, but better to be safe then sorry. Administrators of TWiki sites are *strongly* encouraged to secure their site as soon as possible. ---++ SUMMARY TWiki search function allows arbitrary shell command execution ---++ VULNERABLE SOFTWARE VERSION * TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip * TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip * TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip * TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip * Subversion repository at http://ntwiki.ethermage.net:8181/svn/twiki/trunk (up to and including revision 3224, fixed in revision 3225) ---++ ATTACK VECTORS HTTP GET requests towards the Wiki server (typically port 80/TCP). Usually, no prior authentication is necessary. Possibly also HTTP POST, but this is untested. ---++ IMPACT An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. ---++ DETAILS The TWiki search function uses a user supplied search string to compose a command line executed by the Perl backtick (``) operator. The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell commands. An example search string would be: "test_vulnerability '; ls -la'" If access to TWiki is not restricted by other means, attackers can use the search function without prior authentication. Details will be posted shortly at http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch ---++ COUNTERMEASURES * Apply hotfix (see patches at end of this e-mail). The hotfix is known to prevent the current attacks, but it might not be a complete fix. * Filter access to the web server. * Use the web server software to restrict access to the web pages served by TWiki. * Rewrite the code to use Perl code to open and scan the files instead of running fgrep in the shell. (slow) ---++ AUTHORS AND CREDITS Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny, Florian Weimer contributed to this advisory. ---++ NEW TWIKI RELEASE FYI, the latest TWiki Production Release 01-Sep-2004 aka CairoRelease is available for download. It is a major release replacing version 01-Feb-2003. You can download the new release from the TWiki.org web site (you need to apply the security patch indicated at the enbd of this e-mail) Major changes since TWiki 01-Feb-2003 release: * Automatic upgrade script, and easier first-time installation * Attractive new skins, using a standard set of CSS classes, and a skin browser to help you choose * New easier-to-use save options * Many improvements to SEARCH * Improved support for internationalisation * Better topic management screens * More pre-installed Plugins: CommentPlugin, EditTablePlugin, RenderListPlugin, SlideShowPlugin, SmiliesPlugin, SpreadSheetPlugin, TablePlugin * Improved Plugins API and more Plugin callbacks * Better support for different authentication methods * Many user interface and usability improvements * And many, many more enhancements Best regards, Peter.Thoeny@attglobal.net - http://TWiki.org/ ---++ HOTFIX ---------------------------------------------------------------------------- Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004: ---------------------------------------------------------------------------- *** TWiki20040901/Search.pm 2004-11-12 11:54:47.000000000 -0800 --- ./Search.pm 2004-11-12 12:08:29.000000000 -0800 *************** *** 434,439 **** --- 434,446 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; ---------------------------------------------------------------------------- Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003: ---------------------------------------------------------------------------- *** TWiki20030201/Search.pm 2004-11-12 12:11:52.000000000 -0800 --- ./Search.pm 2004-11-12 12:12:20.000000000 -0800 *************** *** 135,140 **** --- 135,147 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; ---------------------------------------------------------------------------- Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001: ---------------------------------------------------------------------------- *** TWiki20011201/Search.pm 2004-11-12 12:15:55.000000000 -0800 --- ./Search.pm 2004-11-12 12:16:45.000000000 -0800 *************** *** 133,138 **** --- 133,145 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; ---------------------------------------------------------------------------- Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000: ---------------------------------------------------------------------------- *** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800 --- ./wikisearch.pm 2004-11-12 12:23:07.000000000 -0800 *************** *** 117,122 **** --- 117,129 ---- my $tempVal = ""; my $tmpl = ""; + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + if( $doBookView ) { $tmpl = readTemplate( "searchbookview" ); } else { ---------------------------------------------------------------------------- End patches ----------------------------------------------------------------------------