The %MAKETEXT{}% TWiki variable allows arbitrary shell command execution using tilde (~) characters. Only TWiki server with localization enabled are affected. This issue is a followup to SecurityAlert-CVE-2012-6329 of last December. TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web 2.0 Application Platform used by millions of people. * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Hotfix for TWiki Production Release 5.1.x * Hotfix for Older Affected TWiki Releases * Verify Hotfix * Authors and Credits * Action Plan with Timeline * External Links * Feedback ---++ Vulnerable Software Version * TWiki-5.1.0 to TWiki-5.1.3 (TWikiRelease05x01x00 to TWikiRelease05x01x03) * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05) ---++ Attack Vectors Editing wiki pages and HTTP POST requests towards a TWiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary. ---++ Impact An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody. ---++ Severity Level The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level: * Severity 1 issue: The web server can be compromised ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2013-1751 [7] to this vulnerability. ---++ Details Shell Command execution issue: The %MAKETEXT{}% TWiki variable is used to localize user interface content to a language of choice. Using a specially crafted MAKETEXT, a malicious user can execute shell commands using tilde (~) characters. User input is passed to the Perl "eval" command without first being sanitized. The original fix for this issue reported in SecurityAlert- CVE-2012-6329 [9] failed to eliminate one possible attack vector. This CVE applies an additional fix for the tilde character issue. TWiki is not vulnerable if the {UserInerfaceInternationalization} configure setting is disabled, or if Locale::Maketext has been upgraded to version 1.23 as advised in SecurityAlert-CVE-2012-6329 [9]. ---++ Countermeasures * One of: * Disable localization by setting configure flag {UserInterfaceInternationalisation} to 0. * Apply hotfix (see patch below). * Upgrade to the latest patched production release TWiki-5.1.4 (TWikiRelease05x01x04) [2]. * In addition: * Install CPAN:Locale::Maketext version 1.23 or newer. * Use the {SafeEnvPath} configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin". ---++ Hotfix for TWiki Production Release 5.1.x Affected file: twiki/lib/TWiki.pm Patch to sanitize MAKETEXT parameters: =======( 8>< CUT )=============================================== --- TWiki.pm (revision 25065) +++ TWiki.pm (working copy) @@ -4328,8 +4328,8 @@ $str =~ s/\]/~]/g; # restore already escaped stuff: - $str =~ s/~~\[/~[/g; - $str =~ s/~~\]/~]/g; + $str =~ s/~~+\[/~[/g; + $str =~ s/~~+\]/~]/g; # unescape parameters and calculate highest parameter number: my $max = 0; =======( 8>< CUT )=============================================== This patch is handled at TWikibug Item7145 [8]. ---++ Hotfix for Older Affected TWiki Releases Apply above patch (line numbers may vary). ---++ Verify Hotfix To verify the patch: * Add this to a topic: %MAKETEXT{"~~[quant,4, singular, plural, ~~]"}% * Expected output with internationalization enabled: [quant,4,singular,plural] * Expected output with internationalization disabled: ~[quant,4,singular,plural~] * Output on a vulnerable site: ~4 plural ---++ Authors and Credits * Credit to John Lightsey (john [at] nixnuts.net) for disclosing the issue to the twiki-security@lists.sourceforge.net mailing list, and for providing a proposed fix. * TWiki:Main.PeterThoeny for creating the fix, patch and advisory. ---++ Action Plan with Timeline * 2013-02-12 - John Lightsey of nixnuts.net discloses issue to TWikiSecurityMailingList [4] * 2013-02-13 - developer verifies issue - Peter Thoeny * 2013-02-15 - developer fixes code - Peter Thoeny * 2013-02-15 - security team creates advisory with hotfix - Peter Thoeny * 2013-02-16 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - Peter Thoeny * 2013-02-18 - publish advisory in Codev web and update all related topics - Peter Thoeny * 2013-02-18 - issue a public security advisory to full- disclosure[at]lists.grok.org.uk, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - Peter Thoeny ---++ External Links [1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess [2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x04 [3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 [4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList [5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList [6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList [7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1751 - CVE on MITRE.org [8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7145 [9]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 ---++ Feedback Please provide feedback at the security alert topic at http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 -- Peter Thoeny - http://twiki.org/ - 2013-02-18 -- * Peter Thoeny - peter09[at]thoeny.org * http://TWiki.org - is your team already TWiki enabled? * Knowledge cannot be managed, it can be discovered and shared * This e-mail is: (_) private (_) ask first (x) public