Security Alert: Privilege elevation with crafted registration form (CVE-2006-2942)

Please join the twiki-announce list:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki 4.0 installation: Unauthorized user may gain TWiki admin group privileges with a custom registration form.

NOTE: Please review our revised TWiki security alert process, http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess

Vulnerable Software Version

• TWikiRelease04x00x02 -- TWiki-4.0.2.zip
• TWikiRelease04x00x01 -- TWiki-4.0.1.zip
• TWikiRelease04x00x00 -- TWiki-4.0.0.zip

Attack Vectors

TWiki's registration process can be invoked with a crafted version of the original HTML form in which the action attribute of the form element has been modified to point to the Sandbox web instead of the user web. In this case, TWiki's validation fails to correctly check whether the wikiname of the user has already been registered. The wikiname's user topic is looked for in the web as given by the action attribute instead of the user web.

An attacker can use this to register with his own login name, stealing a wiki name which has already been registered.

Impact

In a TWiki where login names are allowed, an attacker can snatch the WikiName of a known member of the TWikiAdminGroup and associate it with his own login name. After login, the attacker can act with the privileges of TWikiAdminGroup, i.e. unlimited access with regard to the TWiki topics.

Even if there is no known threat to TWiki 4 installations with {MapUserToWikiName} flag unchecked in configure, it is recommended that all TWiki 4 installations have this hotfix installed so that the registration code is clean and safe from further exploits.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

• Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-2942 to this vulnerability.

Details

How to reproduce

Take a copy of the HTML version of TWikiRegistration, and change the action parameter in the form from ...bin/register/Main/WebHome to .../bin/register/Sandbox/WebHome. Using the modified form, register with the WikiName of a member of the TWikiAdminGroup, but provide the attacker's login name.

The registration "succeeds" to a sufficient extent: TWiki creates a new "personal homepage" for the attacker in the Sandbox web, but this doesn't matter. TWikiUsers is changed, and is now showing the attacker's login name next to the administrator's WikiName.

Why this succeeds

During the registration process, the code "verifies" the form data, and during this verification process tries to check whether the user home page exists. However, when doing so, it does not refer explicitly to the users web. The offending line is:

    if($session->{store}->topicExists( $data->{webName}, $data->{WikiName} )) {

Countermeasures

• Apply hotfix
• Upgrade to TWiki 4.0.3 (to be released in a few days)

Authors and Credits

• Credit to TWiki:Main.HaraldJoerg for disclosing the issue to the twiki-security mailing list
• TWiki:Main.HaraldJoerg for providing a fix and for fixing the code for TWiki 4.0.3
• TWiki:Main.KennethLavrsen for creating a hotfix
• TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen for creating the advisory

Hotfix for TWiki 4.0.0, 4.0.1 and TWiki 4.0.2

Hotfix for all released versions of TWiki 4.0.X has been attached to this security alert topic. The hot fix updates one single file: lib/TWiki/UI/Register.pm. The hot fix is provided in two formats: Patch file or a new replacement Register.pm file. The patch file is the best option if you have altered the TWiki code yourself. The replacement file is the simpler choice for most. All you need to do is replace the file provided.

• CVE-2006-2942-hotfix-4.0.0-4.0.2.diff - Patch file for lib/TWiki/UI/Register.pm. This patch file is compatible with 4.0.0, 4.0.1 and 4.0.2. Change directory to lib/TWiki/UI, copy the patch file to this directory and apply the patch with the command: patch < CVE-2006-2942-hotfix-4.0.0-4.0.2.diff. You can delete the patch file afterwards.
• CVE-2006-2942-Register.pm-4.0.0-4.0.1.zip - Replacement file lib/TWiki/UI/Register.pm for TWiki 4.0.0 and TWiki 4.0.1
• CVE-2006-2942-Register.pm-4.0.2.zip - Replacement file lib/TWiki/UI/Register.pm for TWiki 4.0.2

Action Plan with Timeline

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2942 - CVE of MITRE
• http://secunia.com/advisories/20596/ - Secunia
• http://www.secuobs.com/secumail/snsecumail/msg01217.shtml - SecuOps
• http://www.securitytracker.com/alerts/2006/Jun/1016323.html - SecurityTracker.com

-- Contributors: HaraldJoerg, CrawfordCurrie, PeterThoeny, KennethLavrsen - 13 Jun 2006

Discussions

Note : I think that it would be great to have an easy way for administrators to check if their installation is running a specific vulnerable release, like displaying a major number instead of the build date present in %WIKIVERSION% nowadays ...
Anyway, at present, I see a way to check as looking at the value of %WIKIVERSION% displayed at the bottom of the TWiki.WebHome topic, which should be "Fri, 31 Mar 2006 build 9626" for TWikiRelease04x00x02 (if I got it right).

-- OlivierBerger - 13 Jun 2006

From TWiki-4.0.4 Hotfix 2 the actual version is also displayed.

-- KennethLavrsen - 27 Jul 2006