exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

twiki.txt

twiki.txt
Posted Nov 13, 2004
Authored by Florian Weimer, Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny

Remote attackers are able to execute arbitrary commands in the context of the TWiki process for TWiki versions 20030201 and possibly in other versions as well. This flaw is due to a lack of proper sanitization of user input.

tags | advisory, remote, arbitrary
SHA-256 | ac52112bc5ecb5d1c0b1b78be42869a3a5320137a2621f2fc66722fa6a94c04c

twiki.txt

Change Mirror Download
VULNERABLE SOFTWARE VERSIONS

TWiki http://twiki.org/

- TWiki 20030201 (e.g. Debian Sarge)
- probably later versions

- Subversion repository at
<http://ntwiki.ethermage.net:8181/svn/twiki/trunk>
at least until revision 3224 (including)


ATTACK VECTORS

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.

Possibly also HTTP POST, but this is untested.


IMPACT

An attacker is able to execute arbitrary shell commands with the
privileges of the TWiki process.


DETAILS

The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.

An example search string would be:

doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2

If access to the Wiki is not restricted by other means, attackers can
use the search function without prior authentication.

As indicated in the source code, the software authors were aware that
the way they worked around Perl's taint check is insecure. Users of
TWiki should reconsider if the software can meet their security
requirements, given such gross negligence.


COUNTERMEASURES

- Hotfix (see patch at end of advisory)
The hotfix is known to prevent the current attacks, but it might
not be a complete fix.
- Filter access to the web server.
- Use the web server software to restrict access to the web pages
served by TWiki.
- Rewrite the TWiki code to correctly check user supplied strings.
- Rewrite the TWiki code to use Perl code to open and scan the files
instead of running commands in the shell.


AUTHORS AND CREDITS

Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws,
Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny,
Florian Weimer contributed to this advisory.


HOTFIX

--- twiki/lib/TWiki/Search.pm.orig 2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/Search.pm 2004-11-12 20:36:21.000000000 +0100
@@ -135,6 +135,11 @@
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # Hotfix for search string shell code insertion vulnerability
+ $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+ $theSearchVal = substr($theSearchVal, 0, 100); # limit string to reasonable length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";


VULNERABILITY TIMELINE

early October 2004 earliest confirmed attack

2004-11-12 forensics revealed exploit
vendor contact
vendor responded, with less conservative hotfix

2004-11-13 uncoordinated emergency disclosure

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close