What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
Learn more.
Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution
Get Alerted: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This advisory alerts you of a potential security issue with your TWiki installation: The %MAKETEXT{}% TWiki variable allows arbitrary shell command execution. The problem is caused by an underlying security issue in the Locale::Maketext CPAN module.
Vulnerable Software Version
Attack Vectors
Editing wiki pages and HTTP POST requests towards a TWiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary.
Impact
An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 1 issue: The web server can be compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2012-6329 to this vulnerability.
Details
1. Shell Command execution: The
%MAKETEXT{}%
TWiki variable is used to localize user interface content to a language of choice. Using a specially crafted
MAKETEXT, a malicious user can execute shell commands by Perl backtick (``) operators. User input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the
CPAN:Locale::Maketext module. This works only in TWiki sites that have user interface localization enabled.
In addition, there are two less severe issues with
MAKETEXT:
2. Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999] Evil"}%
will consume all memory and swap space attempting to initialize all missing entries in the parameters array. (CVE-2012-6330)
3. Crash: %MAKETEXT{"This is [_0] problematic"}%
can cause a crash under some circumstances.
Countermeasures
- One of:
- Disable localization by setting configure flag
{UserInterfaceInternationalisation}
to 0
.
- Apply hotfix (see patch below).
- Upgrade to the latest patched production release TWiki-5.1.3 (TWikiRelease05x01x03) when available.
- In addition:
- Install CPAN:Locale::Maketext version 1.23 or newer.
- Use the
{SafeEnvPath}
configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath}
to a list of non-writable directories, such as "/bin:/usr/bin"
.
Hotfix for TWiki Production Release 5.1.x
Affected file:
twiki/lib/TWiki.pm
Patch to sanitize
MAKETEXT parameters:
--- TWiki.pm (revision 24029)
+++ TWiki.pm (working copy)
@@ -4329,8 +4329,23 @@
# unescape parameters and calculate highest parameter number:
my $max = 0;
- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
- $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+ my $min = 1;
+ $str =~ s/~\[(\_(\d+))~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+ $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+
+ # Item7080: Sanitize MAKETEXT variable:
+ return "MAKETEXT error: No more than 32 parameters are allowed" if( $max > 32 );
+ return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 );
+ if( $TWiki::cfg{UserInterfaceInternationalisation} ) {
+ eval { require Locale::Maketext; };
+ $str =~ s#\\#\\\\#g if( $@ || !$@ && $Locale::Maketext::VERSION < 1.23 );
+ }
# get the args to be interpolated.
my $argsStr = $params->{args} || "";
On a properly patched system,
%MAKETEXT{" [_99] "}% should return this error: =MAKETEXT error: No more than 32 parameters are allowed
.
This patch is handled at
TWikibug:Item7080.
Hotfix for older affected TWiki Releases
Apply above patch (line numbers may vary).
Authors and Credits
Action Plan with Timeline
External Links
--
PeterThoeny - 2012-12-10
Discussions