Konfiguration von TWiki
Hauptprogramm
Plugins
- Folgende Plugins sollten vorhanden sein:
Patches
*** TWiki20030201/Search.pm 2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+ # vulnerability, search: "test_vulnerability '; ls -la'"
+ $theSearchVal =~ s/[\'\`]//g; # Filter ' and `
+ $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... )
+ $theSearchVal = substr($theSearchVal, 0, 200); # Limit string
+ length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
- Für den KoalaSkin sind folgende Patches nötig:
Weitere Issues
Datenübernahme aus Windoofs
- fromdos
- ev stimmt der username nicht mit dem das ganze im RCS gespeichert wurde (von Beat kommt system, ich schreibe root und das ganze muss unter www-data laufen. naja das Script beherscht nun auch das :)))
- das kann aber noch nicht alles sein !!!! (leider)
- mittlerweile gibts ein schoenes script, dass jedes File auscheckt und wieder eincheckt ….. …. nein es gibts sogar zwei Scripts !! (eines fuer data und eines fuer pub)
- Ach ja.... das Script schreibt natuerlich alles ins RCS !! deshalb muessen anschliessend noch Verschiedene Dateien manuell kopiert werden ohne ins RCS zu gehen Beispiele sind:
- .notify
- .webstatistic (oder so !)
- KoalaSkin Dateien
- Bildchen für die Kopfzeilen
Security Patch (12.9.2005)
> ---++ Vulnerable Software Version
> * TWikiRelease02Sep2004 -- TWiki20040902.zip
> * TWikiRelease01Sep2004 -- TWiki20040901.zip
> * TWikiRelease01Feb2003 -- TWiki20030201.zip
> * TWikiRelease01Dec2001 -- TWiki20011201.zip
> * TWikiRelease01Dec2000 -- TWiki20001201.zip
> * (FYI, recent DakarRleases are not affected)
>
>
> ---++ Attack Vectors
>
> HTTP GET requests towards the Wiki server (typically port 80/TCP).
> Usually, no prior authentication is necessary.
>
> Possibly also HTTP POST, but this is untested.
>
>
> ---++ Impact
>
> An attacker is able to execute arbitrary shell commands with the
> privileges of the web server process, such as user nobody.
>
>
> ---++ Details
>
> The TWiki revision control function uses a user supplied URL
> parameter to compose a command line executed by the Perl backtick
> (``) operator.
>
> The URL parameter is not checked properly for shell metacharacters
> and is thus vulnerable to revision numbers containing pipes and
> shell commands. Exploit is possible on topics with 2 or more
> revisions.
>
> Example URL path with exploited rev parameter:
> /cgi-bin/view/Main/WebHome?rev=2%20%7Cless%20/etc/group
>
> If access to TWiki is not restricted by other means, attackers can
> use the revision function without prior authentication.
>
>
> ---++ Countermeasures
>
> * Apply hotfix (see patches below)
> * NOTE: The hotfix is known to prevent the current attacks,
> but it might not be a complete fix
> * Upgrade to the latest patched production TWikiRelease03Sep2004,
> http://twiki.org/swd/TWiki20040903.zip or
> http://twiki.org/swd/TWiki20040903.tar.gz
> * NOTE: If you are running TWikiRelease02Sep2004, simply copy
> the patched lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm,
> lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your
> installation
> * Filter access to the web server
> * Use the web server software to restrict access to the web pages
> served by TWiki
>
>
> ---++ Authors and Credits
>
> * Credit to B4dP4nd4 (b4dp4nd4@gmail.com) for disclosing the issue
> to the twiki-security@lists.sourceforge.net mailing list
> * TWiki:Main.PeterThoeny, TWiki:CrawfordCurrie, TWiki:SvenDowideit
> for contributing to this advisory
> ---+++ Patch for TWiki Production Release 01-Feb-2003
>
> diff -u lib/TWiki/Store.pm.orig lib/TWiki/Store.pm
> --- lib/TWiki/Store.pm.orig Sat Jan 4 17:36:56 2003
> +++ lib/TWiki/Store.pm Thu Sep 8 23:10:58 2005
> @@ -351,9 +351,11 @@
> if( ! $theWebName ) {
> $theWebName = $TWiki::webName;
> }---++ Vulnerable Software Version
>
> -
> - $theRev =~ s/^1\.//o;
>
> + $theRev =~ s/r?1\.//o; # cut 'r' and major
> + # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> + $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
> +
> $topicHandler = _getTopicHandler( $theWebName,
> $theTopic, $attachment ) if( ! $topicHandler );
> my( $rcsOut, $rev, $date, $user, $comment ) =
> $topicHandler->getRevisionInfo( $theRev );
>
> diff -u bin/rdiff.orig bin/rdiff
> --- bin/rdiff.orig Sat Feb 1 00:57:32 2003
> +++ bin/rdiff Thu Sep 8 23:18:05 2005
> @@ -155,6 +155,9 @@
> if( ! $rev2 ) { $rev2 = 0; }
> $rev1 =~ s/r?1\.//go; # cut 'r' and major
> $rev2 =~ s/r?1\.//go; # cut 'r' and major
> + # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> + $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
> + $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
> if( $rev1 < 1 ) { $rev1 = $maxrev; }
> if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
> if( $rev2 < 1 ) { $rev2 = 1; }
> diff -u bin/view.orig bin/view
> --- bin/view.orig Thu Jan 30 00:21:25 2003
> +++ bin/view Thu Sep 8 23:13:47 2005
> @@ -123,6 +123,8 @@
> writeDebug( "maxrev = $maxrev" );
> if( $rev ) {
> $rev =~ s/r?1\.//go; # cut 'r' and major
> + # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> + $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
> if( $rev < 1 ) { $rev = 1; }
> if( $rev > $maxrev ) { $rev = $maxrev; }
> } else {
> diff -u bin/viewfile.orig bin/viewfile
> --- bin/viewfile.orig Sun Jan 5 00:36:54 2003
> +++ bin/viewfile Thu Sep 8 23:14:54 2005
> @@ -63,6 +63,9 @@
> my $fileName = $query->param( 'filename' );
>
> my $rev = $query->param( 'rev' ) || "";
> + $rev =~ s/r?1\.//o; # cut 'r' and major
> + # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> + $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
> my $topRev = &TWiki::Store::getRevisionNumber( $webName,
> $topic, $fileName );
>
> if( ( $rev ) && ( $rev ne $topRev ) ) {
>
Security Patch (26.9.2005)
> * Patch for TWiki Production Release 01-Feb-2003:
--- lib/TWiki/Store.pm.orig2 Thu Sep 8 23:10:58 2005
+++ lib/TWiki/Store.pm Tue Sep 20 17:19:49 2005
@@ -278,7 +278,9 @@
my( $theWeb, $theTopic, $theRev ) = @_;
my $topicHandler = _getTopicHandler( $theWeb, $theTopic );
- $theRev =~ s/^1\.//o;
+ $theRev =~ s/^r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+ $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
return $topicHandler->getRevision( $theRev );
}
@@ -288,7 +290,9 @@
my ( $theWeb, $theTopic, $theAttachment, $theRev ) = @_;
my $topicHandler = _getTopicHandler( $theWeb, $theTopic, $theAttachment );
- $theRev =~ s/^1\.//o;
+ $theRev =~ s/^r?1\.//o; # cut 'r' and major
+ # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+ $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
return $topicHandler->getRevision( $theRev );
}
@@ -352,9 +356,9 @@
$theWebName = $TWiki::webName;
}
- $theRev =~ s/r?1\.//o; # cut 'r' and major
+ $theRev =~ s/^r?1\.//o; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
- $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
+ $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
$topicHandler = _getTopicHandler( $theWebName, $theTopic, $attachment ) if( ! $topicHandler );
my( $rcsOut, $rev, $date, $user, $comment ) = $topicHandler->getRevisionInfo( $theRev );
--- bin/rdiff.orig2 Thu Sep 8 23:18:05 2005
+++ bin/rdiff Tue Sep 20 17:31:11 2005
@@ -156,8 +156,8 @@
$rev1 =~ s/r?1\.//go; # cut 'r' and major
$rev2 =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
- $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
- $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
+ $rev1 = $maxrev unless( $rev1 =~ s/^.*?([0-9]+).*$/$1/so );
+ $rev2 = $maxrev unless( $rev2 =~ s/^.*?([0-9]+).*$/$1/so );
if( $rev1 < 1 ) { $rev1 = $maxrev; }
if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
if( $rev2 < 1 ) { $rev2 = 1; }
--- bin/view.orig2 Thu Sep 8 23:13:47 2005
+++ bin/view Tue Sep 20 17:31:33 2005
@@ -124,7 +124,7 @@
if( $rev ) {
$rev =~ s/r?1\.//go; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
- $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+ $rev = $maxrev unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
if( $rev < 1 ) { $rev = 1; }
if( $rev > $maxrev ) { $rev = $maxrev; }
} else {
--- bin/viewfile.orig2 Thu Sep 8 23:14:54 2005
+++ bin/viewfile Tue Sep 20 17:31:54 2005
@@ -65,7 +65,7 @@
my $rev = $query->param( 'rev' ) || "";
$rev =~ s/r?1\.//o; # cut 'r' and major
# Fix for Codev.SecurityAlertExecuteCommandsWithRev
- $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+ $rev = "" unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic, $fileName );
if( ( $rev ) && ( $rev ne $topRev ) ) {