===================================================================== CERT-Renater Note d'Information No. 2008/VULN348 _____________________________________________________________________ DATE : 15/09/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Twiki. ====================================================================== http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195 ______________________________________________________________________ Security Alert: Arbitrary code execution in session files (CVE-2008-3195) This advisory alerts you of a potential security issue with your TWiki installation: remote attackers are able to get arbitary files, or even execute commands as the web server user -- please read the details below to find out if you are vulnerable. * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Hotfix for TWiki 4.x * Hotfix for older TWiki versions * Authors and Credits * Action Plan with Timeline * External Links * Discussions Vulnerable Software Version * TWikiRelease04x01x00 -- TWiki-4.2.2.zip * TWikiRelease04x01x00 -- TWiki-4.2.1.zip * TWikiRelease04x01x00 -- TWiki-4.2.0.zip * TWikiRelease04x01x00 -- TWiki-4.1.2.zip * TWikiRelease04x01x00 -- TWiki-4.1.1.zip * TWikiRelease04x01x00 -- TWiki-4.1.0.zip * TWikiRelease04x00x05 -- TWiki-4.0.5.zip * TWikiRelease04x00x04 -- TWiki-4.0.4.zip * TWikiRelease04x00x03 -- TWiki-4.0.3.zip * TWikiRelease04x00x02 -- TWiki-4.0.2.zip * TWikiRelease04x00x01 -- TWiki-4.0.1.zip * TWikiRelease04x00x00 -- TWiki-4.0.0.zip Attack Vectors To exploit the bug, you just need set the "image" variable to the path of file you wish to view. The file will be revealed if the webserver has permission to view it. By example, to show the "/etc/passwd" file content, go to : http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain Impact Under the assumption that an intruder has acess to the configure script, it is possible to view and execute files with the privileges of the web server process, such as user nobody. Severity Level The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level: * Severity 1 issue: The web server can be compromised MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-3195 to this vulnerability. Details Your site may be vulnerable if: 1. You run one of the vulnerable TWiki versions, and 2. you have not secured your configure script as per the TWikiInstallationGuide Countermeasures * Restrict access to the configure script (recommended) * Upgrade to TWikiRelease04x02x03 -- TWiki-4.2.3.zip (recommended) * Apply a hotfix indicated below. Hotfix for TWiki 4.x The exploit is in the configure script and so can be resolved by replacing the file in you twiki/bin directory with the configure script attached to the TWikiRelease04x02x03 topic. Hotfix for older TWiki versions Countermeasures * Secure your configure as per section 8 of TWikiInstallationGuide * upgrade to TWikiRelease04x02x03 * apply the appropriate hotfix o configure-4.0.6: The hotfix for TWiki 4.0.x configure script - copy over the existing script in your twiki/bin dir. o configure-4.1.3: The hotfix for TWiki 4.1.x configure script - copy over the existing script in your twiki/bin dir. o configure-4.2.3: The hotfix for TWiki 4.2.x configure script - copy over the existing script in your twiki/bin dir. Authors and Credits * Credit to Sven, Vicki, David, Michael for disclosing the issue to the twiki-security mailing list * Colas, Crawford, Sven for creating the hotfix * ** for creating the advisory ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================