Security Alert: TWiki Rdiff and Preview Scripts Ignore Access Control Settings (CVE-2006-1386)

Please join the twiki-announce list:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki 4.0 installation: The rdiff and preview scripts ignore access control settings, allowing unautorized users to view restricted content.

Vulnerable Software Version

• TWikiRelease04x00x01 -- TWiki-4.0.1.zip
• TWikiRelease04x00x00 -- TWiki-4.0.0.zip

Attack Vectors

With obscure use of the rdiff and preview scripts it is possible to view access restricted content.

Impact

An unautorized user can view access restricted areas and gain access to confidential content in TWiki topics.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

• Severity 2 issue: The TWiki installation is compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-1386 to this vulnerability.

Details

To reproduce the rdiff vulnerability:

Add this to an existing topic:

• Set DENYTOPICVIEW = Main.YourWikiName

View the topic. You will be denied view. Now edit the URL and replace view with rdiff. Now you can see the most recent changes, even those done after the DENYTOPICVIEW was added.

To reproduce the preview vulnerability:

An unauthorized user can access a restricted web by using the preview script instead of the view script. Example URL to access the restricted web called Secret:

http://wiki.example.com/bin/preview/Secret/WebHome?action=foo

Countermeasures

• Apply hotfix
• Upgrade to TWiki 4.0.2 (to be released in a few days)

Authors and Credits

• Credit to TWiki:Main.SergejZagursky for disclosing the issue to the bug tracker
• Credit to TWiki:Main.SteffenPoulsen for disclosing the issue to the bug tracker
• TWiki:Main.CrawfordCurrie for providing a fix in TWiki 4.0.2 and the hotfix description
• TWiki:Main.JasonHill for providing the patch files
• TWiki:Main.PeterThoeny for creating the advisory

Hotfix for TWiki 4.0.0 and TWiki 4.0.1

Hotfix for rdiff script:

In file twiki/lib/TWiki/UI/RDiff.pm, find sub diff. 10 lines lower in the file you will find the following line:

    TWiki::UI::checkTopicExists( $session, $webName, $topic, 'diff' );

Add the following line immediately after it:

    TWiki::UI::checkAccess( $session, $webName, $topic, 'view', $session->{user} );

• CVE-2006-1386_UI_RDiff_pm.diff: Patch for twiki/lib/TWiki/UI/RDiff.pm, TWiki 4.0.1 (See HowToApplyPatch)

Hotfix for preview script:

In file twiki/lib/TWiki/UI/Save.pm find the following lines:

    if( $topicExists ) {
        ( $prevMeta, $prevText ) =
          $store->readTopic( undef, $webName, $topic, undef );
        if( $prevMeta ) {
            foreach my $k ( keys %$prevMeta ) {

Change the call to 'readTopic' to:

          $store->readTopic( $user, $webName, $topic, undef );

• CVE-2006-1386_UI_Save_pm.diff: Patch file for twiki/lib/TWiki/UI/Save.pm, TWiki 4.0.1 (See HowToApplyPatch)

Action Plan with Timeline

Note: A silent alert was not done because the vulerabilities were already made public in the TWiki bug database at Bugs:WebHome on 2006-03-21 and 2006-03-23, respectively.

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1386
• http://secunia.com/advisories/19410/
• http://www.frsirt.com/english/advisories/2006/1116
• http://www.heise.de/security/news/meldung/71386

-- Contributors: PeterThoeny, CrawfordCurrie, SteffenPoulsen, JasonHill - 24 Mar 2006

Discussions