Security Alert: Arbitrary code execution in session files (CVE-2007-0669)
 Please join thetwiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Vulnerable Software Version
- TWikiRelease04x01x00 -- TWiki-4.1.0.zip
- TWikiRelease04x00x05 -- TWiki-4.0.5.zip
- TWikiRelease04x00x04 -- TWiki-4.0.4.zip
- TWikiRelease04x00x03 -- TWiki-4.0.3.zip
- TWikiRelease04x00x02 -- TWiki-4.0.2.zip
- TWikiRelease04x00x01 -- TWiki-4.0.1.zip
- TWikiRelease04x00x00 -- TWiki-4.0.0.zip
- Any previous TWiki version using SessionPlugin
Attack Vectors
Write access to global /tmp directory (or CGI session directory, if different). This can be either directly on file level (such as on a shared host), or via an HTTP vulnerability of a third party web application.Impact
Under the assumption that an intruder has write access to the /tmp directory (or CGI session directory), such as with a vulnerability of another web application running on the same server, it is possible to execute arbitrary Perl code with the privileges of the web server process, such as usernobody.
Severity Level
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:- Severity 2 issue: The TWiki installation is compromised
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2007-0669
to this vulnerability.
Details
Your site may be vulnerable if:- You run one of the vulnerable TWiki versions, and
- You have not reconfigured the CGI session directory
$cfg{Sessions}{Dir}to a private directory
$cfg{UseClientSessions} is not sufficient to protect against this vulnerability, since there is session cleanup code that runs regardless of whether sessions are enabled or not.
Countermeasures
- Restrict access to the TWiki server on file level and HTTP.
- If on a shared host, move TWiki to a dedicated host.
- Upgrade to TWikiRelease04x01x01 -- TWiki-4.1.1.zip (recommended)
- Apply a hotfix indicated below.
Hotfix for TWiki 4.x
In configure, change$cfg{Sessions}{Dir} to a private directory (one which is only readable and writable by the user your web server is running as, and is not served as web content to remote users). The recommended fix is to make a $cfg{DataDir}/session_tmp directory owned by the user Apache is running as, change its permissions to 0700 (drwx------), and set $cfg{Sessions}{Dir} to that directory.
Upgrading to TWiki 4.1.1 is recommended; the session files are cleaned up by timestamp, i.e. no longer executed. TWiki 4.1.1 will create and use the /tmp/twiki directory by default to store the session files.
Hotfix for older TWiki versions using SessionPlugin
This section details the attack vectors, details, and countermeasures for this vulnerability as it applies to the SessionPlugin. This section does not apply to TWiki versions 4.0 and up, which use built-in session tracking. Vulnerable software version- SessionPlugin 1.0 -- SessionPlugin.zip (attachment versions 1-5)
- SessionPlugin 2.0-2.992 -- SessionPlugin.zip (attachment versions 6-8)
- For SessionPlugin 1.000:
- Write access to the
$cfg{DataDir}/.sessiondirectory, which in some cases may be created world-writable for local users.
- Write access to the
- For SessionPlugin 2.0-2.992:
- Write access to global
/tmpdirectory. This can be either directly on file level (such as shared host), or HTTP vulnerability of a third party web application.
- Write access to global
- For SessionPlugin 1.000 (attachment versions 1-5 from the SessionPlugin topic):
- Ensure that the
$cfg{DataDir}/.sessiondirectory exists, is owned by the user Apache is running as, and has 0700 permissions (drwx------).
- Ensure that the
- For SessionPlugin 2.9 (attachment versions 6-8 from the SessionPlugin topic):
- Upgrade to SessionPlugin 2.992 (attachment version 9 from the SessionPlugin topic).
Authors and Credits
- Credit to TWiki:Main.AndrewMoise for disclosing the issue to the twiki-security mailing list
- TWiki:Main.KennethLavrsen and TWiki:Main.AndrewMoise for creating the hotfix
- TWiki:Main.AndrewMoise and TWiki:Main.PeterThoeny for creating the advisory
Action Plan with Timeline
| # | Action | Date | Status | Who |
|---|---|---|---|---|
| 1. | User discloses vulnerability to twiki-security | 2007-01-28 | Done | AndrewMoise |
| 2. | Developer verifies issue | 2007-01-29 | Done | KennethLavrsen, CrawfordCurrie |
| 3. | Developer fixes code and creates hotfix | 2007-01-31 | Done | KennethLavrsen |
| 4. | Security team creates advisory | 2007-02-05 | Done | AndrewMoise, PeterThoeny |
| 5. | Send alert to TWikiAnnounceMailingList and TWikiDevMailingList | 2007-02-06 | Done | PeterThoeny |
| 6. | Publish advisory in Codev web and update all related topics | 2007-02-08 | Done | PeterThoeny |
| 7. | Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) | 2007-02-08 | Done | PeterThoeny |
External Links
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0669 - CVE of MITRE
- http://www.kb.cert.org/vuls/id/584436 - US-CERT - VU#584436
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0669 - NIST
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410256 - Debian bug report
- http://www.frsirt.com/english/advisories/2007/0544 - FrSIRT
- http://www.frsirt.com/english/advisories/2007/0552 - FrSIRT on OpenPKG
- http://secunia.com/advisories/24091/ - Secunia
- http://www.secuobs.com/secumail/snsecumail/msg04610.shtml - SecuOps
- http://www.heise.de/newsticker/meldung/85105 - Heise Online
- http://www.security-database.com/detail.php?cve=CVE-2007-0669 - Security Database
- http://www.securiteam.com/unixfocus/5SP0D0AKKA.html - SecuriTeam
- http://www.securityfocus.com/archive/1/459802/30/30/threaded - SecurityFocus
- https://lwn.net/Articles/221740/ - LWN.net
Discussions
Some additional info:- Upgrade to TWiki 4.1.1 is recommended.
- The default location of session files changed in TWiki 4.1.1, also the configuration settings:
- TWiki 4.1.0 and below had separate
$TWiki::cfg{Sessions}{Dir}and$TWiki::cfg{PassthroughDir}settings, both pointing to/tmp - TWiki 4.1.1 combined that into one
$TWiki::cfg{TempfileDir}setting, pointing to/tmp/twiki
- TWiki 4.1.0 and below had separate
- There is a known issue in TWiki 4.1.1 that under some circumstances the
/tmp/twikiis not created automatically - see Bugs:Item3568
maketmpdir script in the bin directory with this content:
#!/usr/bin/perl print "Content-type: text/html\n\n"; `mkdir /home/twiki/data/tmpfiles`; `chmod 700 /home/twiki/data/tmpfiles`; print "done\n";Change the path in
mkdir and chmod to your server environment. Run the script from your browser. This will create a tmpfiles directory in your twiki/data directory. Delete the script. Run configure and point $TWiki::cfg{Sessions}{Dir} and $TWiki::cfg{PassthroughDir} to that directory.
-- PeterThoeny - 10 Feb 2007
Topic revision: r14 - 2007-02-19 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.