|
Brought to you by:
Suppliers of:
|
|
|
| |
| TWiki is "a web based collaboration platform". Due to insufficient parsing in the TWiki's search engine a remote attackers can cause the program to execute arbitrary code. |
| |
Credit:
The information has been provided by Hans Ulrich Niedermann.
|
| |
The TWiki search function uses a user supplied search string to compose a command line executed by the Perl backtick (``) operator.
The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell commands.
An example search string would be:
doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2
If access to the Wiki is not restricted by other means, attackers can use the search function without prior authentication.
As indicated in the source code, the software authors were aware that the way they worked around Perl's taint check is insecure. Users of TWiki should reconsider if the software can meet their security requirements, given such gross negligence.
Impact:
An attacker is able to execute arbitrary shell commands with the privileges of the TWiki process.
Unofficial patch:
--- twiki/lib/TWiki/Search.pm.orig 2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/Search.pm 2004-11-12 20:36:21.000000000 +0100
@@ -135,6 +135,11 @@
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # Hotfix for search string shell code insertion vulnerability
+ $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+ $theSearchVal = substr($theSearchVal, 0, 100); # limit string to reasonable length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
Disclosure timeline:
early October 2004 earliest confirmed attack
2004-11-12 forensics revealed exploit, vendor contact, vendor responded, with less conservative hotfix
2004-11-13 uncoordinated emergency disclosure
|
|
|
|
|
