Tags:
create new tag
view all tags

Security Alert CVE-2009-1339: CSRF Vulnerability with Image Tag

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a security issue with your TWiki installation: A remote user may gain TWiki admin privileges with a specially crafted image tag.

NOTE: Upgrade to TWiki-4.3.2, see related SecurityAuditTokenBasedCsrfFix

Vulnerable Software Version

Attack Vectors

Attack can be done by editing wiki pages and by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts). The vulnerability exists because TWiki allows HTTP GET to save pages, which opens up CSRF (Cross-site request forgery) attacks.

Impact

An image tag can be crafted that, when viewed, updates pages with the attackers content in TWiki as the viewing user, including members of the TWikiAdminGroup. This can be used to gain administrator privileges, change access permissions and do other things.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2009-1339 to this vulnerability.

Details

When a malicious user embeds an img tag in a TWiki page that points to a TWiki script (such as save script) instead of an image URL, the script is executed each time a user looks at that TWiki page as the user viewing the page.

Example:

1. Edit a page and add this image tag:

<img alt="" src="%SCRIPTURLPATH{save}%/Sandbox/TestTopic?text=Did+I+really+update+this+page!" />

2. Ask another user to view the page with this image tag. The Sandbox.TestTopic page is now updated by that user with text "Did I really update this page!".

Countermeasures

  • Apply comprehensive hotfix or minimal hotfix (see patch below).
  • Upgrade to the latest patched production TWiki-4.3.1, TWikiRelease04x03x01.
  • Use the web server software to restrict access to the web pages served by TWiki.

NOTE: Upgrade to TWiki-4.3.2, see related SecurityAuditTokenBasedCsrfFix

Comprehensive Hotfix for TWiki Production Release 4.2.x and 4.3.0

It is recommended to upgrade to the latest TWiki-4.3.1. We provide also a comprehensive hotfix for TWiki-4.2.x and 4.3.0 only, containing all patched files to fix this CSRF vulnerability. The patch prevents any content update via HTTP GET. The following scripts are protected: manage (critical actions only), register, rename, rest (critical actions only), save, upload.

Affected files:

  • twiki/lib/TWiki/Plugins/EditTablePlugin.pm
  • twiki/lib/TWiki/Plugins/EditTablePlugin/Core.pm
  • twiki/lib/TWiki/Plugins/PreferencesPlugin.pm
  • twiki/lib/TWiki/Plugins/WysiwygPlugin.pm
  • twiki/lib/TWiki/UI.pm
  • twiki/lib/TWiki/UI/Manage.pm
  • twiki/lib/TWiki/UI/Register.pm
  • twiki/lib/TWiki/UI/Save.pm
  • twiki/lib/TWiki/UI/Upload.pm
  • twiki/templates/messages.tmpl
  • twiki/templates/oopsmore.tmpl
  • twiki/templates/registerconfirm.tmpl

Download comprehensive hotfix for TWiki-4.2.x and 4.3.0 from: http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-hotfix-cve-2009-1339.zip

Equivalent patch-diff is at http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-diff-cve-2009-1339.txt

Backup the twiki/lib and twiki/templates directories before applying the hotfix. To apply the hotfix, unpack the zip file over your twiki root directory on the TWiki server. Fix file ownership to match existing files.

Minimal Hotfix for TWiki Production Releases

It is recommended to upgrade to the latest TWiki version, or to apply the comprehensive hotfix above. If an immediate upgrade is not feasible you can apply this minimal patch for TWiki Production Release 4.2.x and 4.3.0. There is no hotfix for older releases; take the minimal hotfix as a guideline (line numbers may vary).

The minimal hotfix protects your TWiki installation with an Apache configuration setting instead of scripts protecting themselves as in the comprehensive fix.

Known issue of the minimal hotfix: A save operation after login may fail the first time when template-login is used.

Affected files:

  • /etc/httpd/conf.d/twiki.conf (location of Apache configuration file may vary)
  • twiki/templates/messages.tmpl
  • twiki/templates/oopsmore.tmpl
  • twiki/templates/registerconfirm.tmpl

1. Patch /etc/httpd/conf.d/twiki.conf:

Within the <Directory "/var/www/twiki/bin"> directive, protect the save, register and upload script to require POST method by adding the following directives just above the <FilesMatch "^(configure).*$"> directive:

# protect against cross-site request forgery
<FilesMatch "^(save|register|upload).*">
  <LimitExcept POST>
     Deny From all
  </LimitExcept>
</FilesMatch>

Don't forget to restart your browser. If you have a working .htaccess file in the twiki/bin directory, make the changes there instead.

2. Patch twiki/templates/messages.tmpl:

--- messages.tmpl.save
+++ messages.tmpl
@@ -193,10 +193,10 @@
 
 %MAKETEXT{"Your activation code has been sent to [_1].  Either click on the link in your e-mail or enter the code in the box below to activate your membership. (This code is of the form \"YourName.xxxxxxxxxx\")" args="%PARAM1%"}%
 
-<form action="%SCRIPTURLPATH{"register"}%">
+<form action="%SCRIPTURLPATH{"register"}%" method="post">
 <input type="hidden" name="action" value="verify" size="20" />
-<input type="text" name="code" size="20" />
-<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Submit"}% ' />
+<input type="text" name="code" value="%URLPARAM{ "code" encode="entity" }%" size="20" />
+<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Confirm registration"}% ' />
 </form>

3. Patch twiki/templates/oopsmore.tmpl:

--- oopsmore.tmpl.save
+++ oopsmore.tmpl
@@ -45,7 +45,8 @@
 
 %TMPL:DEF{"setparent"}%#SetParent
 ---++ %MAKETEXT{"Set new topic parent"}%
-<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?action_save=1">
+<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
+<input type='hidden' name='action_save' value='1' />
 <div class="twikiFormSteps">
 <div class="twikiFormStep">
 ---++!! %MAKETEXT{"Current parent:"}% %IF{"'NONE%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="$parent" }%'='NONE'" then="(none)" else='%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="[[$web.$parent][$parent]]" }%' }%

4. Patch twiki/templates/registerconfirm.tmpl:

In twiki/templates/registerconfirm.tmpl, replace the link to the register script:

  %SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE%
With this link:
  %SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%?
  template=oopsattention;def=confirm;
  code=%VERIFICATIONCODE%;param1=%EMAILADDRESS%

Note: Newlines added above for clarity; all three lines need to be merged into one. Patch for twiki/templates/registerconfirm.tmpl:

--- registerconfirm.tmpl.save
+++ registerconfirm.tmpl
@@ -8,7 +8,7 @@
 
 %MAKETEXT{"Thank you for registering in the [_1] collaboration platform. Your verification code is [_2]." args="%WIKITOOLNAME%, %VERIFICATIONCODE%"}%
 
-%MAKETEXT{"You now need to verify your e-mail address. You can do so by entering [_1] in the form presented to you when this e-mail was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', %SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE%"}%
+%MAKETEXT{"You now need to verify your e-mail address. You can do so by entering [_1] in the form presented to you when this e-mail was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', %SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%?template=oopsattention;def=confirm;code=%VERIFICATIONCODE%;param1=%EMAILADDRESS%"}%
 
 %MAKETEXT{"Note:"}%
 %MAKETEXT{"If you got this e-mail by mistake: Somebody ([_1], [_5]) registered at the [_2] site using your mail address [_3]. Contact [_4] if this is in error." args="%FIRSTLASTNAME%, %WIKITOOLNAME%, %EMAILADDRESS%, %WIKIWEBMASTER%, %REMOTE_ADDR%"}%

Implications for TWiki Content and TWiki Applications

This fix makes TWiki more secure, but you need to be aware of some implications in regards to TWiki applications. Because it is no longer possible to use HTTP GET to save or update page content, you must specify method="post" in HTML forms pointing to the save script, and you can no longer use HTML links or TWiki links that point to the save script.

It is recommended to search and fix your TWiki content for HTML forms, HTML links and TWiki links that point to the save script.

1. Fix HTML Forms Pointing to the Save Script:

HTML forms must specify method="post", or users won't be able to save content. Example:

  <form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
    .....
  </form>

2. Fix HTML Links and TWiki Links Pointing to the Save Script:

HTML links and TWiki links pointing to the save script no longer work. You must convert them into an HTML form.

Example: Link that updates a TWiki form field called "Reviewed". No longer working TWiki link format:

  [[%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed=%SERVERTIME{$year-$mo-$day}%][Reviewed today!]]
Equivalent non-functional HTML link format:
  <a href="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed=%SERVERTIME{$year-$mo-$day}%">Reviewed today!</a>
Change these links to this HTML form:
  <form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
    <input type="hidden" name="Reviewed" value="%SERVERTIME{$year-$mo-$day}%" />
    <input type="submit" class="twikiSubmit" value="Reviewed today!" />
  </form>

Authors and Credits

Action Plan with Timeline

  • 2008-04-15: User discloses issue to TWikiSecurityMailingList (Steve 'Ashcrow' Milner)
  • 2009-04-16: Developer verifies issue (Peter Thoeny)
  • 2009-04-17 to 26: Developers fix code (Peter Thoeny, Sopan Shewale)
  • 2009-04-26: Security team creates advisory with hotfix (Peter Thoeny)
  • 2009-04-27: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
  • 2009-04-29: Publish advisory in Codev web and update all related topics (Peter Thoeny)
  • 2009-04-29: Issue a public security advisory to full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com, bugs@securitytracker.com, vulnwatch@vulnwatch.org (Peter Thoeny)

External Links

-- PeterThoeny - 2009-04-29

Discussions

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt TWiki-4.3.0-c-diff-cve-2009-1339.txt r1 manage 16.9 K 2009-04-28 - 21:39 PeterThoeny Comprehensive hotfix for TWiki-4.2.x and TWiki-4.3.0 (text diff)
Compressed Zip archivezip TWiki-4.3.0-c-hotfix-cve-2009-1339.zip r1 manage 74.0 K 2009-04-27 - 04:20 PeterThoeny Comprehensive hotfix for TWiki-4.2.x and TWiki-4.3.0
Edit | Attach | Watch | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r15 - 2009-09-02 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.