What is TWiki?

A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
Learn more.

Security Alert CVE-2014-9325: XSS Vulnerability with QUERYSTRING and QUERYPARAMSTRING Variables

Get Alerted:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of two potential security issues with your TWiki installation: The TWiki Variables QUERYSTRING and QUERYPARAMSTRING may expose a cross-site scripting vulnerability. (See also related SecurityAlert-CVE-2014-9367.)

Vulnerable Software Version

• TWiki-6.0.1 (TWikiRelease06x00x01)

Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).

Impact

Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

• Severity 3 issue: TWiki content or browser is compromised.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-9325 to this vulnerability.

Details

A malicious person can use specially crafted URL parameters to TWiki scripts that execute arbitrary JavaScript code in the browser. Examples:

Specially crafted parameter to the view script of TWiki:

GET /do/view/Main/TWikiPreferences?'"--></style></script><script>alert('CVE-2014-9325 vulnerable')</script>

TWiki decodes the URL parameters and pops up a JavaScript alert box showing "CVE-2014-9325 vulnerable!"

Countermeasures

• Apply hotfix (see patch below).
• Use the web server software to restrict access to the web pages served by TWiki.

Hotfix for TWiki Production Release

No TWiki patch release will be done to address this issue. Instead, apply the patches to the two files below.

Patch lib/TWiki.pm

Affected file: twiki/lib/TWiki.pm

--- TWiki.pm   (revision 28488)
+++ TWiki.pm   (working copy)
@@ -4803,7 +4803,10 @@
 
 sub QUERYSTRING {
     my $this = shift;
-    return $this->{request}->queryString();
+    my $qs = $this->{request}->queryString();
+    # Item7595: Sanitize QUERYSTRING
+    $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+    return $qs;
 }
 
 sub QUERYPARAMS {

Patch lib/TWiki/UI/View.pm

Affected file: twiki/lib/TWiki/UI/View.pm

--- TWiki/UI/View.pm   (revision 28488)
+++ TWiki/UI/View.pm   (working copy)
@@ -349,8 +349,14 @@
       next if ($name eq 'topic');
       push @qparams, $name => $query->param($name);
     }
-    $tmpl =~ s/%QUERYPARAMSTRING%/TWiki::_make_params(1,@qparams)/geo;
 
+    if ( $tmpl =~ /%QUERYPARAMSTRING%/ ) {
+        my $qs = TWiki::_make_params( 1, @qparams );
+        # Item7595: Sanitize QUERYPARAMSTRING
+        $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+        $tmpl =~ s/%QUERYPARAMSTRING%/$qs/go;
+    }
+
     # extract header and footer from the template, if there is a
     # %TEXT% tag marking the split point. The topic text is inserted
     # in place of the %TEXT% tag. The text before this tag is inserted

Notes:

• Learn how to apply patches
• This issue is tracked at TWikibug:Item7595

Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?'"--></style></script><script>alert('CVE-2014-9325 vulnerable')</script>

The site is vulnerable if a dialog box is shown with text "CVE-2014-9325 vulnerable!"

Authors and Credits

• Credit to Robert Abela ( robert[at]netsparker.com) and Onur Yilmaz (onur[at]netsparker.com) for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list.
• TWiki:Main.PeterThoeny for verifying the issue, creating a fix, and creating the patch and advisory.

Action Plan with Timeline

• 2014-12-09 - Robert Abela of Netsparker discloses issue to TWikiSecurityMailingList
• 2014-12-09 - developer verifies issue - PeterThoeny
• 2014-12-09 - developer fixes code - PeterThoeny
• 2014-12-15 - security team creates advisory with hotfix - PeterThoeny
• 2014-12-16 - send alert to TWikiAnnounceMailingList and TWikiDevMailingList - PeterThoeny
• 2014-12-18 - publish advisory in Codev web and update all related topics - PeterThoeny
• 2014-12-18 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9325 - CVE on MITRE.org

-- Peter Thoeny - 2014-12-18

Comments