Konfiguration von TWiki

Hauptprogramm

Plugins

Patches

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string  
+ length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

Weitere Issues

Datenübernahme aus Windoofs

  • fromdos
  • ev stimmt der username nicht mit dem das ganze im RCS gespeichert wurde (von Beat kommt system, ich schreibe root und das ganze muss unter www-data laufen. naja das Script beherscht nun auch das :)))
  • das kann aber noch nicht alles sein !!!! (leider)
  • mittlerweile gibts ein schoenes script, dass jedes File auscheckt und wieder eincheckt ..... .... nein es gibts sogar zwei Scripts !! (eines fuer data und eines fuer pub)
  • Ach ja.... das Script schreibt natuerlich alles ins RCS !! deshalb muessen anschliessend noch Verschiedene Dateien manuell kopiert werden ohne ins RCS zu gehen Beispiele sind:
    • .notify
    • .webstatistic (oder so !)
    • KoalaSkin Dateien
    • Bildchen für die Kopfzeilen

Security Patch (12.9.2005)


> ---++ Vulnerable Software Version
>    * TWikiRelease02Sep2004 -- TWiki20040902.zip
>    * TWikiRelease01Sep2004 -- TWiki20040901.zip
>    * TWikiRelease01Feb2003 -- TWiki20030201.zip
>    * TWikiRelease01Dec2001 -- TWiki20011201.zip
>    * TWikiRelease01Dec2000 -- TWiki20001201.zip
>    * (FYI, recent DakarRleases are not affected)
> 
> 
> ---++ Attack Vectors
> 
> HTTP GET requests towards the Wiki server (typically port 80/TCP).
> Usually, no prior authentication is necessary.
> 
> Possibly also HTTP POST, but this is untested.
> 
> 
> ---++ Impact
> 
> An attacker is able to execute arbitrary shell commands with the
> privileges of the web server process, such as user nobody.
> 
> 
> ---++ Details
> 
> The TWiki revision control function uses a user supplied URL 
> parameter to compose a command line executed by the Perl backtick 
> (``) operator.
> 
> The URL parameter is not checked properly for shell metacharacters
> and is thus vulnerable to revision numbers containing pipes and 
> shell commands. Exploit is possible on topics with 2 or more 
> revisions.
> 
> Example URL path with exploited rev parameter:
> /cgi-bin/view/Main/WebHome?rev=2%20%7Cless%20/etc/group
> 
> If access to TWiki is not restricted by other means, attackers can
> use the revision function without prior authentication.
> 
> 
> ---++ Countermeasures
> 
>    * Apply hotfix (see patches below)
>       * NOTE: The hotfix is known to prevent the current attacks,  
>         but it might not be a complete fix
>    * Upgrade to the latest patched production TWikiRelease03Sep2004,
>      http://twiki.org/swd/TWiki20040903.zip or
>      http://twiki.org/swd/TWiki20040903.tar.gz
>       * NOTE: If you are running TWikiRelease02Sep2004, simply copy
>         the patched lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, 
>         lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your
>         installation
>    * Filter access to the web server
>    * Use the web server software to restrict access to the web pages
>      served by TWiki
> 
> 
> ---++ Authors and Credits
> 
>    * Credit to B4dP4nd4 (b4dp4nd4@gmail.com) for disclosing the issue
>      to the twiki-security@lists.sourceforge.net mailing list
>    * TWiki:Main.PeterThoeny, TWiki:CrawfordCurrie, TWiki:SvenDowideit 
>      for contributing to this advisory

> ---+++ Patch for TWiki Production Release 01-Feb-2003
> 
> diff -u lib/TWiki/Store.pm.orig lib/TWiki/Store.pm
> --- lib/TWiki/Store.pm.orig     Sat Jan  4 17:36:56 2003
> +++ lib/TWiki/Store.pm  Thu Sep  8 23:10:58 2005
> @@ -351,9 +351,11 @@
>      if( ! $theWebName ) {
>          $theWebName = $TWiki::webName;
>      }---++ Vulnerable Software Version
> 
> -
> -    $theRev =~ s/^1\.//o;
> 
> +    $theRev =~ s/r?1\.//o;  # cut 'r' and major
> +    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
> +
>      $topicHandler = _getTopicHandler( $theWebName, 
> $theTopic, $attachment ) if( ! $topicHandler );
>      my( $rcsOut, $rev, $date, $user, $comment ) = 
> $topicHandler->getRevisionInfo( $theRev );
> 
> diff -u bin/rdiff.orig bin/rdiff
> --- bin/rdiff.orig      Sat Feb  1 00:57:32 2003
> +++ bin/rdiff   Thu Sep  8 23:18:05 2005
> @@ -155,6 +155,9 @@
>          if( ! $rev2 ) { $rev2 = 0; }
>          $rev1 =~ s/r?1\.//go;  # cut 'r' and major
>          $rev2 =~ s/r?1\.//go;  # cut 'r' and major
> +        # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
> +        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
>          if( $rev1 < 1 )       { $rev1 = $maxrev; }
>          if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
>          if( $rev2 < 1 )       { $rev2 = 1; }
> diff -u bin/view.orig bin/view
> --- bin/view.orig       Thu Jan 30 00:21:25 2003
> +++ bin/view    Thu Sep  8 23:13:47 2005
> @@ -123,6 +123,8 @@
>          writeDebug( "maxrev = $maxrev" );
>          if( $rev ) {
>              $rev =~ s/r?1\.//go;  # cut 'r' and major
> +            # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
>              if( $rev < 1 )       { $rev = 1; }
>              if( $rev > $maxrev ) { $rev = $maxrev; }
>          } else {
> diff -u bin/viewfile.orig bin/viewfile
> --- bin/viewfile.orig   Sun Jan  5 00:36:54 2003
> +++ bin/viewfile        Thu Sep  8 23:14:54 2005
> @@ -63,6 +63,9 @@
>      my $fileName = $query->param( 'filename' );
> 
>      my $rev = $query->param( 'rev' ) || "";
> +    $rev =~ s/r?1\.//o;  # cut 'r' and major
> +    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
>      my $topRev = &TWiki::Store::getRevisionNumber( $webName, 
> $topic, $fileName );
> 
>      if( ( $rev ) && ( $rev ne $topRev ) ) {
> 

Security Patch (26.9.2005)

> * Patch for TWiki Production Release 01-Feb-2003:

--- lib/TWiki/Store.pm.orig2      Thu Sep  8 23:10:58 2005
+++ lib/TWiki/Store.pm    Tue Sep 20 17:19:49 2005
@@ -278,7 +278,9 @@
     my( $theWeb, $theTopic, $theRev ) = @_;
     my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

-    $theRev =~ s/^1\.//o;
+    $theRev =~ s/^r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+    $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
     return $topicHandler->getRevision( $theRev );
 }

@@ -288,7 +290,9 @@
    my ( $theWeb, $theTopic, $theAttachment, $theRev ) = @_;

    my $topicHandler = _getTopicHandler( $theWeb, $theTopic, $theAttachment );
-   $theRev =~ s/^1\.//o;
+   $theRev =~ s/^r?1\.//o;  # cut 'r' and major
+   # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+   $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
    return $topicHandler->getRevision( $theRev );
 }

@@ -352,9 +356,9 @@
         $theWebName = $TWiki::webName;
     }

-    $theRev =~ s/r?1\.//o;  # cut 'r' and major
+    $theRev =~ s/^r?1\.//o;  # cut 'r' and major
     # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
+    $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );

     $topicHandler = _getTopicHandler( $theWebName, $theTopic, $attachment ) if( ! $topicHandler );
     my( $rcsOut, $rev, $date, $user, $comment ) = $topicHandler->getRevisionInfo( $theRev );
--- bin/rdiff.orig2 Thu Sep  8 23:18:05 2005
+++ bin/rdiff       Tue Sep 20 17:31:11 2005
@@ -156,8 +156,8 @@
         $rev1 =~ s/r?1\.//go;  # cut 'r' and major
         $rev2 =~ s/r?1\.//go;  # cut 'r' and major
         # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
-        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
+        $rev1 = $maxrev unless( $rev1 =~ s/^.*?([0-9]+).*$/$1/so );
+        $rev2 = $maxrev unless( $rev2 =~ s/^.*?([0-9]+).*$/$1/so );
         if( $rev1 < 1 )       { $rev1 = $maxrev; }
         if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
         if( $rev2 < 1 )       { $rev2 = 1; }
--- bin/view.orig2  Thu Sep  8 23:13:47 2005
+++ bin/view        Tue Sep 20 17:31:33 2005
@@ -124,7 +124,7 @@
         if( $rev ) {
             $rev =~ s/r?1\.//go;  # cut 'r' and major
             # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+            $rev = $maxrev unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
             if( $rev < 1 )       { $rev = 1; }
             if( $rev > $maxrev ) { $rev = $maxrev; }
         } else {
--- bin/viewfile.orig2      Thu Sep  8 23:14:54 2005
+++ bin/viewfile    Tue Sep 20 17:31:54 2005
@@ -65,7 +65,7 @@
     my $rev = $query->param( 'rev' ) || "";
     $rev =~ s/r?1\.//o;  # cut 'r' and major
     # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+    $rev = "" unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
     my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic, $fileName );

     if( ( $rev ) && ( $rev ne $topRev ) ) {

This site is powered by FoswikiCopyright © by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding wiki.doebe.li? Send feedback