[Gnumed-devel] [Fwd: TWiki Security Alert and TWiki Security E-mail List]

[David Grant]

Email which was sent to me Nov 28, 2004.

-------- Original Message --------
Subject:        TWiki Security Alert and TWiki Security E-mail List
Date:   Sun, 28 Nov 2004 08:33:49 GMT
From:   TWiki Security List <address@hidden>
Reply-To: 	TWiki Announcement FeedBack 
<address@hidden>
To:     address@hidden



Dear TWiki User,

We are emailing you about a high priority security vulnerability in 
TWiki. Known TWiki site administrators have already been alerted, and
a public security advisory has been sent out. However, we did not reach
all administrators, and we now know that some public TWiki sites have
been cracked.

We are taking the unusual step of emailing a broader TWiki audience
to alert you and to announce an improved security alert process with a
mailing list. We will only be doing this once; all future security alerts
will be sent solely to those subscribed to the new opt-in mailing list.
You have recieved this mail because you:

  * are a registered user at TWiki.org, or
  * requested TWiki in the past and asked in the form to be
    notified of new releases, or
  * run a public TWiki site that Google could find

If you do not use TWiki, please ignore this email. If you don't 
administer your TWiki site, or started a site now administered by 
someone else, please pass it to the current TWiki site administrator.

Even if you have fixed this vulnerability, you are strongly recommended 
to join the new low-volume security announcement email list for TWiki 
at http://lists.sourceforge.net/lists/listinfo/twiki-announce

Since this vulnerability is publicly announced and is being actively 
exploited, you are encouraged to post this to email lists that you 
think may be relevant.  The alert has been sent out on some general 
security email lists already, but without the TWiki security email 
list information.

Table of Contents:

  * Summary
  * Vulnerable Software Versions
  * Attack Vectors
  * Impact
  * Details
  * Countermeasures
  * What to do if You Think You May Have Been Cracked
  * TWiki Announce And Security Email List
  * New TWiki Release
  * Authors And Credits
  * How To Contact Us
  * Hotfix

---++ Summary

TWiki's search feature allows arbitrary shell command execution - a web 
server running TWiki can be compromised remotely.


---++ Vulnerable Software Versions

  * TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip
  * TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip
  * TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip
  * TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip
  * Subversion repository linked from
    http://twiki.org/cgi-bin/view/Codev/SubversionReadme
    (up to and including revision 3224, fixed in revision 3225)
  * All alpha and beta releases prior to 12 Nov 2004

---++ Attack Vectors

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary. Possibly also HTTP POST, 
but this is untested.


---++ Impact

A remote attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.


---++ Details

The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.

An example search string would be: "test_vulnerability '; ls -la'"

If access to TWiki is not restricted by other means, attackers can
use the search function without prior authentication.

More details can be found at
http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch


---++ Countermeasures

The main countermeasure is to apply the hotfix (see patches at end of 
this e-mail).

Temporary countermeasures if hotfix cannot be applied immediately:

  * Filter access to the web server
  * Use the web server software to restrict access to the web pages 
    served by TWiki
  * For sites accessible to search engines, use Google temporarily
    instead of normal searching, and remove execute permissions from
    the 'search' script. See details at
    http://twiki.org/cgi-bin/view/Codev/GoogleYourTWiki 


---++ What to do if You Think You May Have Been Cracked

If your TWiki site is publicly accessible (on the Internet) there is 
a risk that your site has been cracked. Visit 

http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports 
to learn how other people detected intrisions and found cracking 
attempts. 

If your TWiki site was cracked and runs on Linux kernel 2.4, you should 
also check for the installation of rootkits on your server - see 
http://www.google.com/search?hl=en&q=rootkit+detect for some links, 
e.g. http://www.chkrootkit.org/


---++ TWiki Announce And Security Email List

A new email list has been created to announce new TWiki releases and
to distribute security alerts quickly in the future. This low-volume 
list is the best way to find out about and fix any future security 
issues. It is highly recommended that TWiki site administrators sign 
up to this now at http://lists.sourceforge.net/lists/listinfo/twiki-announce
- you can find more details at 
http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList

In addition, a TWiki security team has been created - any new 
vulnerability should be reported to this team, which will ensure the 
vulnerability is analysed, fixed, and patches + new releases distributed
as quickly as possible.  Please see details at 
http://twiki.org/cgi-bin/view/Codev/SecurityTeam

Our security alert process is documented at
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess


---++ New TWiki Release

The latest TWiki Production Release 02-Sep-2004, aka CairoRelease,
is available for download. It is a major release replacing version 
01-Feb-2003 and is proof against this security hole. You can download 
the new release from http://TWiki.org/download.html - however, you 
can of course just patch your current release if you prefer.

Major changes since TWiki 01-Feb-2003 release:

  * Automatic upgrade script, and easier first-time installation
  * Attractive new skins, using a standard set of CSS classes, and
    a skin browser to help you choose
  * New easier-to-use save options
  * Many improvements to SEARCH
  * Improved support for internationalisation
  * Better topic management screens
  * More pre-installed Plugins: CommentPlugin, EditTablePlugin,
    RenderListPlugin, SlideShowPlugin, SmiliesPlugin,
    SpreadSheetPlugin, TablePlugin
  * Improved Plugins API and more Plugin callbacks
  * Better support for different authentication methods
  * Many user interface and usability improvements
  * And many, many more enhancements


---++ Authors And Credits

Martin Cleaver, Crawford Currie, Richard Donkin, Sven Dowideit, Markus 
Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Colas Nahaboo, Hans 
Ulrich Niedermann, Andreas Thienemann, Peter Thoeny and Florian Weimer 
all contributed to this advisory.


---++ How To Contact Us

Please do not reply to this e-mail. Please contact:

  * TWiki Announcement FeedBack <address@hidden> or 
  address@hidden if you have questions or concerns regarding this 
  announcement 
  * http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch 
  for feedback on this vulnerability 
  * address@hidden if you discovered a vulnerability
  * http://twiki.org/cgi-bin/view/Support if you have support questions
  * http://twiki.org/cgi-bin/view/Codev to get involved in the community
  * irc://irc.freenode.net/twiki for realtime communication with fellow 
    TWiki users and administrators. Details at 
    http://twiki.org/cgi-bin/view/Codev/TWikiIRC

Best regards,

TWiki Security Team

---++ Hotfix

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004:
----------------------------------------------------------------------------

*** TWiki20040901/Search.pm  2004-11-12 11:54:47.000000000 -0800
--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
***************
*** 434,439 ****
--- 434,446 ----
     my $tempVal = "";
     my $tmpl = "";
     my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/address@hidden(/$1\\\(/g;           # Defuse @( ... ) and $( 
... ) 
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
     my $originalSearch = $theSearchVal;
     my $renameTopic;
     my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003:
----------------------------------------------------------------------------

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
     my $tempVal = "";
     my $tmpl = "";
     my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/address@hidden(/$1\\\(/g;           # Defuse @( ... ) and $( 
... ) 
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
     my $originalSearch = $theSearchVal;
     my $renameTopic;
     my $renameWeb = "";

----------------------------------------------------------------------------
Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001:
----------------------------------------------------------------------------

*** TWiki20011201/Search.pm     2004-11-12 12:15:55.000000000 -0800
--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
***************
*** 133,138 ****
--- 133,145 ----
     my $tempVal = "";
     my $tmpl = "";
     my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/address@hidden(/$1\\\(/g;           # Defuse @( ... ) and $( 
... ) 
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
     my $originalSearch = $theSearchVal;
     my $renameTopic;
     my $renameWeb = "";

--------------------------------------------------------------------------
Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000:
--------------------------------------------------------------------------

*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
--- ./wikisearch.pm     2004-11-12 12:23:07.000000000 -0800
***************
*** 117,122 ****
--- 117,129 ----

     my $tempVal = "";
     my $tmpl = "";
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g;    # Escape ' and `
+     $theSearchVal =~ s/address@hidden(/$1\\\(/g;           # Defuse @( ... ) and $( 
... ) 
+     $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
+
     if( $doBookView ) {
         $tmpl = readTemplate( "searchbookview" );
     } else {

------------------------------------------------------------------------
End patches
------------------------------------------------------------------------



--
David J. Grant
http://www.davidgrant.ca:81

david.grant.vcf
Description: Vcard