Security Alert: Viewfile script allows view of arbitrary files (CVE-2006-4294)
 Please join thetwiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Vulnerable Software Version
- TWikiRelease04x00x04 -- TWiki-4.0.4.zip
- TWikiRelease04x00x03 -- TWiki-4.0.3.zip
- TWikiRelease04x00x02 -- TWiki-4.0.2.zip
- TWikiRelease04x00x01 -- TWiki-4.0.1.zip
- TWikiRelease04x00x00 -- TWiki-4.0.0.zip
Attack Vectors
Supply a specially crafted HTTP POST request on the TWiki viewfile script.Impact
An intruder is able to view arbitrary files on the server file system that are readable by the webserver user, such as user nobody or wwwrun. The server can potentially be exploited by reading system files such as /etc/passwd.Severity Level
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:- Severity 1 issue: The web server can be compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-4294
to this vulnerability.
Details
All TWiki 4.0.x releases do not sanitize the filename parameter of the viewfile script. This can used to read arbitrary files on the server. For example, http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd dispays the content of the/etc/passwd file in the browser.
Countermeasures
- Restrict access to the TWiki installation.
- Apply the hotfix indicated below.
- NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix
Hotfix
The accumulated Hotfix 4 for TWiki-4.0.4 contains an improved version of theView.pm module, fixing the known vulnerability. Hotfix 4 is available at TWiki:Codev.HotFix04x00x04x04. (Fix was actually released in Hotfix 3 but because of a major bug we now recommend hotfix 4)
If you prefer to fix your TWiki installation immediately, add the line with die to the twiki/lib/TWiki/UI/View.pm file:
Index: View.pm
===================================================================
--- View.pm (revision 11339)
+++ View.pm (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};
my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;
my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );
Authors and Credits
- Credit to TWiki:Main.MinsungChoi and TWiki:Main.KoenMartens for disclosing the issue to the twiki-security mailing list
- TWiki:Main.CrawfordCurrie for creating a fix
- TWiki:Main.KennethLavrsen for creating Hotfix 3 and 4 for TWiki release 4.0.4
- TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen for creating the advisory
Action Plan with Timeline
| # | Action | Date | Status | Who |
|---|---|---|---|---|
| 1. | User discloses vulnerability to twiki-security | 2006-08-20 | Done | TWiki:Main.MinsungChoi |
| 2. | User discloses vulnerability to twiki-security | 2006-08-28 | Done | TWiki:Main.KoenMartens |
| 3. | Developer verifies issue | 2006-08-22 | Done | PeterThoeny |
| 4. | Developer creates fix, Bugs:Item2806 |
2006-08-22 | Done | CrawfordCurrie |
| 5. | Security team creates advisory | 2006-08-31 | Done | PeterThoeny |
| 6. | Send alert to TWikiAnnounceMailingList and TWikiDevMailingList | 2006-09-05 | Done | PeterThoeny |
| 7. | Developer creates HotFix04x00x04x03 for TWiki 4.0.4 | 2006-09-06 | Done | KennethLavrsen |
| 8. | Publish advisory in Codev web and update all related topics | 2006-09-07 | Done | PeterThoeny |
| 9. | Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) | 2006-09-07 | Done | PeterThoeny |
| 10. | Bugfixed HotFix04x00x04x04 for TWiki 4.0.4 fixes bug introduced in HotFix 3 | 2006-09-14 | Done | KennethLavrsen |
External Links
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294 - CVE of MITRE
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4294 - National Vulnerability Database (NIST)
- http://www.secuobs.com/secumail/snsecumail/msg02346.shtml - SecuObs.com
- http://secunia.com/advisories/21829/ - Secunia
- http://www.frsirt.com/english/advisories/2006/3524 - FrSIRT
- http://seclists.org/vulnwatch/2006/q3/0034.html - Vulnwatch
- http://secwatch.org/advisories/1015339/ - SecWatch
- http://www.securitytracker.com/alerts/2006/Sep/1016805.html - SecurityTracker.com
- http://www.securityfocus.com/bid/19907 - SecurityFocus
- http://www.securitylab.ru/nvd/273584.php - SecurityLab
Discussions
Topic revision: r11 - 2006-11-30 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.