0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TWiki 5.1.2 Command Execution Vulnerability
[This security advisory alerts you of a potential security issue with
TWiki installations:
The %MAKETEXT{}% TWiki variable allows arbitrary shell command
execution. The problem is caused by an underlying security issue in
the Locale::Maketext CPAN module.
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Releases 5.1.x
* Hotfix for older affected TWiki Releases
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback
---++ Vulnerable Software Version
* TWiki-5.1.0 to TWiki-5.1.2 (TWikiRelease05x01x00 to
TWikiRelease05x01x02)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)
---++ Attack Vectors
Editing wiki pages and HTTP POST requests towards a TWiki server with
enabled localization (typically port 80/TCP). Typically, prior
authentication is necessary.
---++ Impact
An unauthenticated remote attacker can execute arbitrary shell
commands as the webserver user, such as user nobody.
---++ Severity Level
The TWiki SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess [1] and assigned the following severity level:
* Severity 1 issue: The web server can be compromised
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2012-6329 [7] to this vulnerability.
---++ Details
1. Shell Command execution: The %MAKETEXT{}% TWiki variable is used to
localize user interface content to a language of choice. Using a
specially crafted MAKETEXT, a malicious user can execute shell
commands by Perl backtick (``) operators. User input is passed to the
Perl "eval" command without first being sanitized. The problem is
caused by an underlying security issue in the Locale::Maketext CPAN
module. This works only in TWiki sites that have user interface
localization enabled.
In addition, there are two less severe issues with MAKETEXT:
2. Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999]
Evil"}% will consume all memory and swap space attempting to
initialize all missing entries in the parameters array.
3. Crash: %MAKETEXT{"This is [_0] problematic"}% can cause a crash
under some circumstances.
---++ Countermeasures
* One of:
* Disable localization by setting configure flag
{UserInterfaceInternationalisation} to 0.
* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-5.1.3
(TWikiRelease05x01x03) [2] when available.
* In addition:
* Install CPAN's Locale::Maketext version 1.23 or newer.
* Use the {SafeEnvPath} configure setting to restrict the possible
directories that are searched for executables. By default, this is
the PATH used by the webserver user. Set {SafeEnvPath} to a list of
non-writable directories, such as "/bin:/usr/bin".
---++ Hotfix for TWiki Production Release 5.1.x
Affected file: twiki/lib/TWiki.pm
Patch to sanitize MAKETEXT parameters:
=======( CUT 8><--- )===============================================
--- TWiki.pm (revision 24029)
+++ TWiki.pm (working copy)
@@ -4329,8 +4329,23 @@
# unescape parameters and calculate highest parameter number:
my $max = 0;
- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
- $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 >
$max); "[$1]"/ge;
+ my $min = 1;
+ $str =~ s/~\[(\_(\d+))~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+ $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+
+ # Item7080: Sanitize MAKETEXT variable:
+ return "MAKETEXT error: No more than 32 parameters are allowed"
if( $max > 32 );
+ return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 );
+ if( $TWiki::cfg{UserInterfaceInternationalisation} ) {
+ eval { require Locale::Maketext; };
+ $str =~ s#\\#\\\\#g if( $@ || !$@ &&
$Locale::Maketext::VERSION < 1.23 );
+ }
# get the args to be interpolated.
my $argsStr = $params->{args} || "";
=======( CUT 8><--- )===============================================
This patch is also available separately [3] in case this gets mangled
by the e-mail.
On a properly patched system, %MAKETEXT{" [_99] "}% should return this
error: "MAKETEXT error: No more than 32 parameters are allowed"
---++ Hotfix for older affected TWiki Releases
Apply above patch (line numbers may vary).
---++ Authors and Credits
* Credit to TWiki:Main.GeorgeClark for disclosing the issue to the twiki-security@lists.sourceforge.net
mailing list, and for providing a proposed fix.
* TWiki:Main.PeterThoeny for creating the fix, patch and advisory.
---++ Action Plan with Timeline
* 2012-12-10: User discloses issue to TWikiSecurityMailingList [4],
George Clark, Foswiki
* 2012-12-10: Developer verifies issue, Peter Thoeny
* 2012-12-10: Developer fixes code, Peter Thoeny
* 2012-12-10: Security team creates advisory with hotfix, Peter Thoeny
* 2012-12-11: Developer verifies patch, Hideyo Imazu
* 2012-12-12: Send alert to TWikiAnnounceMailingList [5] and
TWikiDevMailingList [6], Peter Thoeny
* 2012-12-14: Publish advisory in Codev web and update all related
topics, Peter Thoeny
* 2012-12-14: Issue a public security advisory to full-
disclosure[at]lists.grok.org.uk, cert[at]cert.org,
vuln[at]secunia.com, bugs[at]securitytracker.com, Peter Thoeny
---++ External Links
[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x03
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 - CVE
on MITRE.org
---++ Feedback
Please provide feedback at the security alert topic,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
-- Main.PeterThoeny - 2012-12-14
--
* Peter Thoeny - peter09[at]thoeny.org
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (x) ask first (_) public
# 0day.today [2024-11-16] #