Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] TWiki Security Alert: Viewfile script allows view of arbitra

from [Peter Thoeny] Network Security [Permanent Link]
Subject: [VulnWatch] TWiki Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
Date: Thu, 07 Sep 2006 08:30:10 -0700 
This is a security advisory for TWiki installations:

Unauthorized users may view arbitrary files of the server
file system with the viewfile script.

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Hotfix
    * Authors and Credits
    * Action Plan with Timeline
    * Feedback
    * External Links


---++ Vulnerable Software Version

    * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
    * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
    * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
    * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00 -- TWiki-4.0.0.zip


---++ Attack Vectors

Supply a specially crafted HTTP POST request on the TWiki
viewfile script.


---++ Impact

An intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:

   * Severity 1 issue: The web server can be compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.


---++ Details

All TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the
browser.


---++ Countermeasures

   * Restrict access to the TWiki installation.
   * Apply the hotfix indicated below.

NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix


---++ Hotfix

The accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the View.pm module, fixing the known
vulnerability. Hotfix 3 will be available at
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03 in
a few days.

If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/View.pm
file:

Index: View.pm
===========================================================
--- View.pm     (revision 11339)
+++ View.pm     (working copy)
@@ -356,6 +356,7 @@
    my $topic = $session->{topicName};

    my $fileName = $query->param( 'filename' );
+   die "Illegal attachment name" if $fileName =~ m#[/\\]#;

    my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );


---++ Authors and Credits

   * Credit to TWiki:Main.MinsungChoi and
     TWiki:Main.KoenMartens for disclosing the issue to
     the twiki-security mailing list
   * TWiki:Main.CrawfordCurrie for creating a fix
   * TWiki:Main.KennethLavrsen for creating Hotfix 3 for
     TWiki release 4.0.4
   * TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
     for creating the advisory


---++ Action Plan with Timeline

   * 2006-08-20 and 08-28: User discloses vulnerability to
                 twiki-security
   * 2006-08-22: Developer verifies issue
   * 2006-08-22: Developer creates fix
   * 2006-08-31: Security team creates advisory
   * 2006-09-05: Send alert to twiki-announce mailing list
                 and twiki-dev mailing list
   * 2006-09-06: Developer creates Hotfix 3
   * 2006-09-07: Publish advisory on TWiki.org
   * 2006-09-07: Issue a public security advisory

---++ Feedback

Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04
[6]: http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03


-- Contributors: Peter Thoeny, Crawford Currie,
Kenneth Lavrsen - 07 Sep 2006


--
    * Peter Thoeny                       Peter@StructuredWikis.com
    * http://StructuredWikis.com - bringing wikis to the workplace
    * http://TWiki.org - is your team already TWiki enabled?
    * Knowledge cannot be managed, it can be discovered and shared
    * This e-mail is:   (_) private    (_) ask first    (x) public

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] TWiki Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294), Peter Thoeny <=
Previous by Date:  [VulnWatch] IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability, Juha-Matti Laurio
Next by Date:  [Full-disclosure] iDefense Security Advisory 09.12.06: Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability, iDefense Labs
Previous by Thread:  [VulnWatch] IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability, Juha-Matti Laurio
Next by Thread:  [Full-disclosure] iDefense Security Advisory 09.12.06: Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]