What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
Learn more.
Security Alert CVE-2011-3010: XSS Vulnerability with Topic Create and Slideshows
Get Alerted: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of two potential security issues with your TWiki installation: The topic create screen and the spreadsheet plugin may expose a cross-site scripting vulnerability.
Vulnerable Software Version
Attack Vectors
Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).
Impact
Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 3 issue: TWiki content or browser is compromised.
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2011-3010 to this vulnerability.
Details
A malicious person can use specially crafted URL parameters to TWiki scripts that execute arbitrary JavaScript code in the browser. Examples:
Specially crafted origurl parameter to the login script of TWiki:
GET /do/view/Main/Jump?create=on&newtopic=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x0051D1%29%3C/script%3E&template=WebCreateNewTopic&topicparent=3
GET /do/view/TWiki/ATasteOfTWiki?'"--></style></script><script>alert(0x002B48)</script>
TWiki decodes the URL parameters and pops up a JavaScript alert box showing "20945"
Countermeasures
- Apply hotfix (see patch below).
- Upgrade to the latest patched production TWiki-5.1.0, TWikiRelease05x01x00.
- Use the web server software to restrict access to the web pages served by TWiki.
Hotfix for TWiki Production Releases
It is recommended to upgrade to the latest TWiki version, which can be done easily with the
BackupRestorePlugin. If an immediate upgrade is not feasible you can apply below patch for Production Release TWiki-5.0.x, TWiki-4.3.x and TWiki-4.2.x by updating a topic and by upgrading the
SlideShowPlugin. There is no hotfix for earlier TWiki releases; take the hotfix as a guideline. The patch sanitizes the create new topic screen and the
SlideShowPlugin.
Patch Create New Topic Screen
Affected topic:
TWiki.WebCreateNewTopicTemplate
Upgrade: On your TWiki, do a raw edit of topic TWiki.WebCreateNewTopicTemplate and replace its content with the content of
http://twiki.org/cgi-bin/view/TWiki/WebCreateNewTopicTemplate?raw=on
Alternatively, apply patch indicated at
http://develop.twiki.org/trac/changeset/21920
Upgrade SlideShowPlugin
Affected plugin:
http://twiki.org/cgi-bin/view/Plugins/SlideShowPlugin
Upgrade: Run configure, go to Extensions, find more extensions, and select the SlideShowPlugin to upgrade. Alternatively follow the manual installation instructions indicate in the plugin topic, or apply below patch.
Patch file: lib/TWiki/Plugins/SlideShowPlugin/SlideShow.pm
--- SlideShow.pm.save2 2011-04-02 15:06:35.000000000 -0700
+++ SlideShow.pm 2011-08-08 15:48:03.000000000 -0700
@@ -61,7 +61,8 @@
# Build query string based on existingURL parameters
my $qparams = '?slideshow=on;skin=print';
foreach my $name ( $query->param ) {
- next if ( $name =~ /(text|keywords|web|topic|slideshow|skin|\#)/ );
+ next if ( $name =~ s/[^a-zA-Z0-9_\-]//go ); # Item6789: Santize parameter name
+ next if ( $name =~ /^(text|keywords|web|topic|slideshow|skin)$/ );
$qparams .= ';' . $name . '=' . urlEncode( $query->param($name) );
}
Authors and Credits
Action Plan with Timeline
- 2011-08-20: Developer releases TWiki-5.1.0 with fix (George Trubisky)
- 2011-09-19: Security team creates advisory with hotfix (Peter Thoeny)
- 2011-09-20: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
- 2011-09-22: Publish advisory in Codev web and update all related topics (Peter Thoeny)
- 2011-09-22: Issue a public security advisory to full-disclosure[at]lists.netsys.com, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com (Peter Thoeny)
External Links
--
PeterThoeny - 2011-09-22
Discussions