Security Alert CVE-2009-1339: CSRF Vulnerability with Image Tag
Get Alerted: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of a security issue with your TWiki installation: A remote user may gain TWiki admin privileges with a specially crafted image tag.
NOTE: Upgrade to
TWiki-4.3.2, see related
SecurityAuditTokenBasedCsrfFix
Vulnerable Software Version
Attack Vectors
Attack can be done by editing wiki pages and by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts). The vulnerability exists because TWiki allows HTTP GET to save pages, which opens up CSRF (Cross-site request forgery) attacks.
Impact
An image tag can be crafted that, when viewed, updates pages with the attackers content in TWiki as the viewing user, including members of the TWikiAdminGroup. This can be used to gain administrator privileges, change access permissions and do other things.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 2 issue: The TWiki installation is compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2009-1339 to this vulnerability.
Details
When a malicious user embeds an img tag in a TWiki page that points to a TWiki script (such as save script) instead of an image URL, the script is executed each time a user looks at that TWiki page as the user viewing the page.
Example:
1. Edit a page and add this image tag:
<img alt="" src="%SCRIPTURLPATH{save}%/Sandbox/TestTopic?text=Did+I+really+update+this+page!" />
2. Ask another user to view the page with this image tag. The Sandbox.TestTopic page is now updated by that user with text "Did I really update this page!".
Countermeasures
- Apply comprehensive hotfix or minimal hotfix (see patch below).
- Upgrade to the latest patched production TWiki-4.3.1, TWikiRelease04x03x01.
- Use the web server software to restrict access to the web pages served by TWiki.
NOTE: Upgrade to
TWiki-4.3.2, see related
SecurityAuditTokenBasedCsrfFix
Comprehensive Hotfix for TWiki Production Release 4.2.x and 4.3.0
It is recommended to upgrade to the latest TWiki-4.3.1. We provide also a comprehensive hotfix for TWiki-4.2.x and 4.3.0 only, containing all patched files to fix this CSRF vulnerability. The patch prevents any content update via HTTP GET. The following scripts are protected: manage (critical actions only), register, rename, rest (critical actions only), save, upload.
Affected files:
- twiki/lib/TWiki/Plugins/EditTablePlugin.pm
- twiki/lib/TWiki/Plugins/EditTablePlugin/Core.pm
- twiki/lib/TWiki/Plugins/PreferencesPlugin.pm
- twiki/lib/TWiki/Plugins/WysiwygPlugin.pm
- twiki/lib/TWiki/UI.pm
- twiki/lib/TWiki/UI/Manage.pm
- twiki/lib/TWiki/UI/Register.pm
- twiki/lib/TWiki/UI/Save.pm
- twiki/lib/TWiki/UI/Upload.pm
- twiki/templates/messages.tmpl
- twiki/templates/oopsmore.tmpl
- twiki/templates/registerconfirm.tmpl
Download comprehensive hotfix for TWiki-4.2.x and 4.3.0 from:
http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-hotfix-cve-2009-1339.zip
Equivalent patch-diff is at
http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-diff-cve-2009-1339.txt
Backup the twiki/lib and twiki/templates directories before applying the hotfix. To apply the hotfix, unpack the zip file over your twiki root directory on the TWiki server. Fix file ownership to match existing files.
Minimal Hotfix for TWiki Production Releases
It is recommended to upgrade to the latest TWiki version, or to apply the comprehensive hotfix above. If an immediate upgrade is not feasible you can apply this minimal patch for TWiki Production Release 4.2.x and 4.3.0. There is no hotfix for older releases; take the minimal hotfix as a guideline (line numbers may vary).
The minimal hotfix protects your TWiki installation with an Apache configuration setting instead of scripts protecting themselves as in the comprehensive fix.
Known issue of the minimal hotfix: A save operation after login may fail the first time when template-login is used.
Affected files:
- /etc/httpd/conf.d/twiki.conf (location of Apache configuration file may vary)
- twiki/templates/messages.tmpl
- twiki/templates/oopsmore.tmpl
- twiki/templates/registerconfirm.tmpl
1. Patch /etc/httpd/conf.d/twiki.conf:
Within the
<Directory "/var/www/twiki/bin">
directive, protect the save, register and upload script to require POST method by adding the following directives just above the
<FilesMatch "^(configure).*$">
directive:
# protect against cross-site request forgery
<FilesMatch "^(save|register|upload).*">
<LimitExcept POST>
Deny From all
</LimitExcept>
</FilesMatch>
Don't forget to restart your browser. If you have a working .htaccess file in the twiki/bin directory, make the changes there instead.
2. Patch twiki/templates/messages.tmpl:
--- messages.tmpl.save
+++ messages.tmpl
@@ -193,10 +193,10 @@
%MAKETEXT{"Your activation code has been sent to [_1]. Either click on the link in your e-mail or enter the code in the box below to activate your membership. (This code is of the form \"YourName.xxxxxxxxxx\")" args="%PARAM1%"}%
-<form action="%SCRIPTURLPATH{"register"}%">
+<form action="%SCRIPTURLPATH{"register"}%" method="post">
<input type="hidden" name="action" value="verify" size="20" />
-<input type="text" name="code" size="20" />
-<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Submit"}% ' />
+<input type="text" name="code" value="%URLPARAM{ "code" encode="entity" }%" size="20" />
+<input type="submit" class="twikiSubmit" value=' %MAKETEXT{"Confirm registration"}% ' />
</form>
3. Patch twiki/templates/oopsmore.tmpl:
--- oopsmore.tmpl.save
+++ oopsmore.tmpl
@@ -45,7 +45,8 @@
%TMPL:DEF{"setparent"}%#SetParent
---++ %MAKETEXT{"Set new topic parent"}%
-<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?action_save=1">
+<form name="main" action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
+<input type='hidden' name='action_save' value='1' />
<div class="twikiFormSteps">
<div class="twikiFormStep">
---++!! %MAKETEXT{"Current parent:"}% %IF{"'NONE%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="$parent" }%'='NONE'" then="(none)" else='%SEARCH{ "^%TOPIC%$" scope="topic" regex="on" nosearch="on" nototal="on" format="[[$web.$parent][$parent]]" }%' }%
4. Patch twiki/templates/registerconfirm.tmpl:
In twiki/templates/registerconfirm.tmpl, replace the link to the register script:
%SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE%
With this link:
%SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%?
template=oopsattention;def=confirm;
code=%VERIFICATIONCODE%;param1=%EMAILADDRESS%
Note: Newlines added above for clarity; all three lines need to be merged into one. Patch for twiki/templates/registerconfirm.tmpl:
--- registerconfirm.tmpl.save
+++ registerconfirm.tmpl
@@ -8,7 +8,7 @@
%MAKETEXT{"Thank you for registering in the [_1] collaboration platform. Your verification code is [_2]." args="%WIKITOOLNAME%, %VERIFICATIONCODE%"}%
-%MAKETEXT{"You now need to verify your e-mail address. You can do so by entering [_1] in the form presented to you when this e-mail was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', %SCRIPTURL{"register"}%?action=verify;code=%VERIFICATIONCODE%"}%
+%MAKETEXT{"You now need to verify your e-mail address. You can do so by entering [_1] in the form presented to you when this e-mail was sent, or by visiting [_2]" args="'%VERIFICATIONCODE%', %SCRIPTURL{"oops"}%/%USERSWEB%/%HOMETOPIC%?template=oopsattention;def=confirm;code=%VERIFICATIONCODE%;param1=%EMAILADDRESS%"}%
%MAKETEXT{"Note:"}%
%MAKETEXT{"If you got this e-mail by mistake: Somebody ([_1], [_5]) registered at the [_2] site using your mail address [_3]. Contact [_4] if this is in error." args="%FIRSTLASTNAME%, %WIKITOOLNAME%, %EMAILADDRESS%, %WIKIWEBMASTER%, %REMOTE_ADDR%"}%
Implications for TWiki Content and TWiki Applications
This fix makes TWiki more secure, but you need to be aware of some implications in regards to TWiki applications. Because it is no longer possible to use HTTP GET to save or update page content, you must specify
method="post"
in
HTML forms pointing to the save script, and you can no longer use
HTML links or TWiki links that point to the save script.
It is recommended to search and fix your TWiki content for
HTML forms,
HTML links and TWiki links that point to the save script.
1. Fix HTML Forms Pointing to the Save Script:
HTML forms must specify
method="post"
, or users won't be able to save content. Example:
<form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
.....
</form>
2. Fix HTML Links and TWiki Links Pointing to the Save Script:
HTML links and TWiki links pointing to the save script no longer work. You must convert them into an
HTML form.
Example: Link that updates a TWiki form field called "Reviewed". No longer working TWiki link format:
[[%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed=%SERVERTIME{$year-$mo-$day}%][Reviewed today!]]
Equivalent non-functional
HTML link format:
<a href="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%?Reviewed=%SERVERTIME{$year-$mo-$day}%">Reviewed today!</a>
Change these links to this
HTML form:
<form action="%SCRIPTURLPATH{"save"}%/%WEB%/%TOPIC%" method="post">
<input type="hidden" name="Reviewed" value="%SERVERTIME{$year-$mo-$day}%" />
<input type="submit" class="twikiSubmit" value="Reviewed today!" />
</form>
Authors and Credits
Action Plan with Timeline
- 2008-04-15: User discloses issue to TWikiSecurityMailingList (Steve 'Ashcrow' Milner)
- 2009-04-16: Developer verifies issue (Peter Thoeny)
- 2009-04-17 to 26: Developers fix code (Peter Thoeny, Sopan Shewale)
- 2009-04-26: Security team creates advisory with hotfix (Peter Thoeny)
- 2009-04-27: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
- 2009-04-29: Publish advisory in Codev web and update all related topics (Peter Thoeny)
- 2009-04-29: Issue a public security advisory to full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com, bugs@securitytracker.com, vulnwatch@vulnwatch.org (Peter Thoeny)
External Links
--
PeterThoeny - 2009-04-29
Discussions