Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] TWiki Security Alert: Login bypass allows view of access res

from [Peter Thoeny] Network Security [Permanent Link]
Subject: [VulnWatch] TWiki Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071)
Date: Thu, 30 Nov 2006 10:51:57 -0800 
This is a security advisory for TWiki installations:

Unauthorized users may view access restricted content
with a failed login. This applies only to TWiki
installations with sessions enabled using Apache 1.3,
not Apache 2.x.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix
   * Authors and Credits
   * Action Plan with Timeline
   * Feedback
   * External Links


---++ Vulnerable Software Version

   * TWikiRelease04x00x05  -- TWiki-4.0.5.zip
   * TWikiRelease04x00x04  -- TWiki-4.0.4.zip
   * TWikiRelease04x00x03  -- TWiki-4.0.3.zip
   * TWikiRelease04x00x02  -- TWiki-4.0.2.zip
   * TWikiRelease04x00x01  -- TWiki-4.0.1.zip
   * TWikiRelease04x00x00  -- TWiki-4.0.0.zip
   * TWikiRelease04Sep2004 -- TWiki20040904.zip (1)
   * TWikiRelease03Sep2004 -- TWiki20040903.zip (1)
   * TWikiRelease02Sep2004 -- TWiki20040902.zip (1)
   * TWikiRelease01Sep2004 -- TWiki20040901.zip (1)
     (1) - with SessionPlugin


---++ Attack Vectors

An unauthorized user can login by cancelling out of a
failed login.


---++ Impact

An unauthorized user is able to view content in access
restricted topics. Editing topics and attaching files
is not impacted.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as
documented in TWikiSecurityAlertProcess [3] and
assigned the following severity level:

   * Severity 3 issue: TWiki content or browser is
     compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-6071 [4] to this
vulnerability.


---++ Details

Your site may be vulnerable if:

   1. If you have ErrorDocument 401 set to point to the
      TWikiRegistration topic (or any other TWiki topic),
and
   2. You are using !ApacheLogin with TWiki-4.0 and have
      sessions enabled, _or_ you are using an earlier
      TWiki version with SessionPlugin,
and
   3. You are running Apache 1.3

The exploit can be used to view pages protected by TWiki
permissions. It does not allow you to to gain write
access. You can verify if your site is vulnerable as
follows:

   1. Click the 'Login' link in the left bar
   2. Enter the login name of a valid user, but an
      incorrect password.
   3. Click "Ok"
   4. If apache re-prompts, enter the same username and
      password again
   5. Click "Cancel"

If your site is vulnerable you will be redirected to the
TWikiRegistration topic with the valid user apparently
logged in (the name appears in the left bar).


---++ Countermeasures

   * Restrict access to the TWiki installation.
   * Apply the hotfix indicated below.

NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix


---++ Hotfix

Delete the ErrorDocument line in the Apache configuration
(httpd.conf or .htaccess), *or* (preferred) change it to
point to a static HTML page. This page can safely contain
a link to the TWikiRegistration page. For example,

<html>
<title>Failed login</title>
<head>
</head>
<body>
Your login attempt failed.
<p />
Do you want to
<a href="/cgi-bin/view/TWiki/TWikiRegistration">register
in TWiki</a>?
</body>
</html>

(modify the href as appropriate for your site.)


---++ Authors and Credits

   * Credit to TWiki:Main.GeorgeClark for disclosing the
     issue to the twiki-security mailing list
   * TWiki:Main.CrawfordCurrie for researching issue and
     for creating recommended fix
   * TWiki:Main.PeterThoeny for creating the advisory


---++ Action Plan with Timeline

   * 2006-11-17: User discloses vulnerability to
     twiki-security
   * 2006-11-21: Developer verifies issue
   * 2006-11-21: Developer creates hotfix
   * 2006-11-21: Security team creates advisory
   * 2006-11-29: Send alert to TWikiAnnounceMailingList
     and TWikiDevMailingList
   * 2006-11-30: Publish advisory in Codev web and update
     all related topics
   * 2006-11-30: Issue a public security advisory


---++ Feedback

Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-6071


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-6071
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6071

-- Contributors: Main.CrawfordCurrie, Main.PeterThoeny
- 30 Nov 2006


--
    * Peter Thoeny                       Peter@StructuredWikis.com
    * http://StructuredWikis.com - bringing wikis to the workplace
    * http://TWiki.org - is your team already TWiki enabled?
    * Knowledge cannot be managed, it can be discovered and shared
    * This e-mail is:   (_) private    (_) ask first    (x) public

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] TWiki Security Alert: Login bypass allows view of access restricted content (CVE-2006-6071), Peter Thoeny <=
Previous by Date:  [VulnWatch] iDefense Security Advisory 11.29.06: Horde Kronolith Arbitrary Local File Inclusion Vulnerability, iDefense Labs
Next by Date:  [VulnWatch] EEYE: Adobe Download Manager AOM Stack Buffer Overflow Vulnerability, eEye Advisories
Previous by Thread:  [VulnWatch] iDefense Security Advisory 11.29.06: Horde Kronolith Arbitrary Local File Inclusion Vulnerability, iDefense Labs
Next by Thread:  [VulnWatch] EEYE: Adobe Download Manager AOM Stack Buffer Overflow Vulnerability, eEye Advisories
Indexes:  [Date] [Thread] [Top] [All Lists]