What is TWiki?

A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
Learn more.

Security Alert CVE-2011-1838: XSS Vulnerability with origurl parameter of login script

Get Alerted:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of two potential security issues with your TWiki installation: The login script may expose a cross-site scripting vulnerability when using the origurl parameter.

Vulnerable Software Version

• TWikiRelease05x00x01 -- TWiki-5.0.1.zip
• TWikiRelease05x00x00 -- TWiki-5.0.0.zip
• TWikiRelease04x03x02 -- TWiki-4.3.2.zip
• TWikiRelease04x03x01 -- TWiki-4.3.1.zip
• TWikiRelease04x03x00 -- TWiki-4.3.0.zip
• TWikiRelease04x02x04 -- TWiki-4.2.4.zip
• TWikiRelease04x02x03 -- TWiki-4.2.3.zip
• TWikiRelease04x02x02 -- TWiki-4.2.2.zip
• TWikiRelease04x02x01 -- TWiki-4.2.1.zip
• TWikiRelease04x02x00 -- TWiki-4.2.0.zip
• TWikiRelease04x01x02 -- TWiki-4.1.2.zip
• TWikiRelease04x01x01 -- TWiki-4.1.1.zip
• TWikiRelease04x01x00 -- TWiki-4.1.0.zip
• TWikiRelease04x00x05 -- TWiki-4.0.5.zip
• TWikiRelease04x00x04 -- TWiki-4.0.4.zip
• TWikiRelease04x00x03 -- TWiki-4.0.3.zip
• TWikiRelease04x00x02 -- TWiki-4.0.2.zip
• TWikiRelease04x00x01 -- TWiki-4.0.1.zip
• TWikiRelease04x00x00 -- TWiki-4.0.0.zip
• and possibly older versions

Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).

Impact

Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

• Severity 3 issue: TWiki content or browser is compromised.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2011-1838 to this vulnerability.

Details

A malicious person can use specially crafted URL parameters to TWiki view and login scripts that execute arbitrary Javascript code in the browser. Examples:

Specially crafted origurl parameter to the login script of TWiki:

GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E

GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E

TWiki decodes the URL parameter and pops up a Javascript alert box showing "924"

Countermeasures

• Apply hotfix (see patch below).
• Upgrade to the latest patched production TWiki-5.0.2, TWikiRelease05x00x02.
• Use the web server software to restrict access to the web pages served by TWiki.

Hotfix for TWiki Production Releases

It is recommended to upgrade to the latest TWiki version. If an immediate upgrade is not feasible you can apply this patch for Production Release TWiki-5.0.x, TWiki-4.3.x and TWiki-4.2.x. There is no hotfix for earlier TWiki releases; take the hotfix as a guideline (line numbers may vary). The patch sanitizes the origurl parameter.

Patch for TWiki-5.0.1, TWiki-5.0.0 and TWiki-4.3.x

Affected file: twiki/lib/TWiki/LoginManager/TemplateLogin.pm

Patch:

--- TemplateLogin.pm.orig   2011-04-28 21:48:34.000000000 -0700
+++ TemplateLogin.pm   2011-05-01 17:15:10.000000000 -0700
@@ -139,6 +139,9 @@
     my $loginPass = $query->param( 'password' );
     my $remember  = $query->param( 'remember' );
 
+    # Item6673: Cleanup origurl parameter
+    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g;
+
     # Eat these so there's no risk of accidental passthrough
     $query->delete( 'origurl', 'username', 'password' );
 

Patch for TWiki-4.2.x

Affected file: twiki/lib/TWiki/Client/TemplateLogin.pm

Patch:

--- TemplateLogin.pm.save1   2007-03-03 06:45:57.000000000 -0800
+++ TemplateLogin.pm   2011-05-13 15:21:41.000000000 -0700
@@ -107,6 +107,9 @@
     my $loginName = $query->param( 'username' );
     my $loginPass = $query->param( 'password' );
 
+    # Item6673: Cleanup origurl parameter
+    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g;
+
     # Eat these so there's no risk of accidental passthrough
     $query->delete('origurl', 'username', 'password');

Authors and Credits

• Credit to Mesut Timur (mesut[at]mavitunasecurity.com) for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list.
• TWiki:Main.GeorgeTrubisky for creating TWiki-5.0.2 patch release with a fix.
• TWiki:Main.PeterThoeny for verifying the issue, creating a fix, and creating the patch and advisory.

Action Plan with Timeline

• 2011-05-03: Developer releases TWiki-5.0.2 with fix (George Trubisky)
• 2011-05-15: Security team creates advisory with hotfix (Peter Thoeny)
• 2011-05-16: Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (Peter Thoeny)
• 2011-05-18: Publish advisory in Codev web and update all related topics (Peter Thoeny)
• 2011-05-18: Issue a public security advisory to full-disclosure@lists.netsys.com, cert@cert.org, vuln@secunia.com, bugs@securitytracker.com (Peter Thoeny)

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1838 - CVE on MITRE.org
• http://www.mavitunasecurity.com/xss-vulnerability-in-twiki/ - Mavituna Security (researcher who reported the issue)
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1838 - National Vulnerability Database, NIST
• http://secunia.com/advisories/cve_reference/CVE-2011-1838/ - Secunia
• http://secunia.com/advisories/44594/ - Secunia
• http://www.securityfocus.com/archive/1/518038 - Security Focus
• http://www.securityfocus.com/bid/47899/info - Security Focus
• http://www.vupen.com/english/Reference-CVE-2011-1838.php - VUPEN
• http://www.vupen.com/english/advisories/2011/1258 - VUPEN
• http://seclists.org/bugtraq/2011/May/139 - seclists.org
• http://packetstormsecurity.org/files/101519 - Packet Storm
• http://packetstormsecurity.org/files/view/101519/twiki501-xss.txt - Packet Storm
• http://dl.packetstormsecurity.net/1105-advisories/sa44594.txt - Packet Storm
• http://www.cnnvd.org.cn/vulnerability/show/cv_id/2011050199 - China National Vulnerability Database of Information Security
• http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/80279 - Gossamer Threads
• http://securitytracker.com/id/1025542 - SecurityTracker
• http://www.securityhome.eu/exploits/exploit.php?eid=4540455414dd3fb688a9868.77420915 - Security Home EU
• http://permalink.gmane.org/gmane.comp.security.bugtraq/47138 - gmane
• http://inter5.org/archives/11280 - inter5.org
• http://www.securelist.com/en/advisories/44594 - securelist.com
• http://forums.cnet.com/7726-6132_102-5133971.html - cnet.com
• https://launchpad.net/bugs/cve/2011-1838 - Launchpad.net
• http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2011-05/msg00139.html - derkeiler.com
• http://osvdb.org/show/osvdb/72400 - OSVDB
• http://www.mail-archive.com/bugtraq@securityfocus.com/msg36997.html - mail-archive.com
• http://www.cert.uhp-nancy.fr/services/Securite-informatique/Avis-de-securite/Avis-cert-renater/2011_VULN387 - Nancy-Universite
• http://www.criticalwatch.com/news-events/security-advisories.aspx?AID=35892 Critical Watch
• http://sec.jetlib.com/Bugtraq/2011/05/18/XSS_vulnerability_in_TWiki_%3C_5.0.2 - jetlib.dec
• http://hi.baidu.com/artcracker/blog/item/3bcf3550b102390f377abe6d.html - Chinese blog
• http://dvw-j.blogspot.com/2011/05/twiki.html - Japanese blog
• http://wolfexp.net/rss/?action=show&id=3038 - wolfexp.net
• http://securityvulns.ru/docs26385.html - securityvulns, Russia
• http://admin.venustech.com.cn/NewsInfo/124/10234.Html - Venustech, China
• http://www.cnaz.net/view-1027-1.html - cnaz.net, China
• http://www.cnvd.org.cn/vulnerability/CNVD-2011-05522 - CNVD, China
• http://www.7747.net/Article/201105/91068.html - 7747.net, China
• http://www.nxgg8.com/article/html/18079.html - nxgg8.com, China
• http://it-security-vulnerabilities.posterous.com/multiple-cross-site-scripting-xss-vulnerabili-7 - IT Security Vulnerabilities

-- PeterThoeny - 2011-05-18

Discussions