Tags:
create new tag
view all tags
What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
MOVED TO... Learn more.

Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The debugenableplugins request parameter allows arbitrary Perl code execution.

Vulnerable Software Version

Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted debugenableplugins request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 to this vulnerability.

Details

It is possible to execute arbitrary Perl code by adding a debugenableplugins parameter with a specially crafted value. Example:

http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

Background:

TWiki allows enabling specific plugins for debug purposes using a debugenableplugins parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl eval statement without sanitizing the plugin name:

my $p = $this->{module};
eval "use $p;";

Countermeasures

  • Apply hotfix (see patch below).
  • Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01)

Hotfix for TWiki Production Release 6.0.0

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the debugenableplugins parameter:

--- TWiki/Plugins.pm.save1   2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm   2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
 
     unless( $allDisabled ) {
         if ( $query && defined( $query->param( 'debugenableplugins' ))) {
-            @pluginList = split( /[,\s]+/,
-                                 $query->param( 'debugenableplugins' ));
+            @pluginList =
+              grep { /Plugin$/ }
+              map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+              split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
         } else {
             if( $TWiki::cfg{PluginsOrder} ) {
                 foreach my $plugin( split( /[,\s]+/,

This patch is handled at TWikibug:Item7558.

Note: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

Authors and Credits

Action Plan with Timeline

External Links

-- Peter Thoeny - 2014-10-07

Comments

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2014-10-09 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.