影响版本:
* TWiki-6.0.0 (TWikiRelease06x00x00) * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04) * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)
测试方法:
http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/htmlrnrnVulnerable!")%3bexit
修复方式:
twiki/lib/TWiki/Plugins.pm
Patch to sanitize the 'debugenableplugins' parameter:
=======( 8>param( 'debugenableplugins' ))) {
- @pluginList = split( /[,s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,s]+/,
=======( 8>
Source: http://seclists.org/fulldisclosure/2014/Oct/44
TWiki Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins
From: Peter Thoeny
Date: Thu, 9 Oct 2014 07:26:56 -0700
This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code
execution.
TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0
* Hotfix for Older Affected TWiki Releases
* Verify Hotfix
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback
---++ Vulnerable Software Version
* TWiki-6.0.0 (TWikiRelease06x00x00)
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)
---++ Attack Vectors
Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to
TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.
---++ Impact
A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.
---++ Severity Level
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following
severity level:
* Severity 1 issue: The web server can be compromised
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability.
---++ Details
It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted
value. Example: http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/htmlrnrnVulnerable!")%3bexit
The TWiki site is vulnerable if you see a page with text "Vulnerable!".
__Background:__
TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins
to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl
=eval= statement without sanitizing the plugin name:
my $p = $this->{module};
eval "use $p;";
---++ Countermeasures
* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]
---++ Hotfix for TWiki Production Release 6.0.0
Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to
whitespace changes in e-mail it is not recommended to use below patch.
NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove
the speedy cache (tmp/speedy.*) before restarting Apache.
Affected file: twiki/lib/TWiki/Plugins.pm
Patch to sanitize the 'debugenableplugins' parameter:
=======( 8>param( 'debugenableplugins' ))) {
- @pluginList = split( /[,s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,s]+/,
=======( 8>http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess [2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01 [3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList [5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList [6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList [7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558 ---++ Feedback
Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).
Please send an e-mail to twiki-security () lists sourceforge net if you have any questions before Monday.
-- Peter Thoeny - 2014-10-09
--
Peter Thoeny - Peter09[at]Thoeny.org http://bit.ly/MrTWiki - consulting on enterprise collaboration http://TWiki.org - is your team already TWiki enabled?
Knowledge cannot be managed, it can be discovered and shared
This e-mail is: (_) private (_) ask first (x) public
_______________________________________________
Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
留言评论(旧系统):
文章来源于lcx.cc:Remote Perl code execution with query string to debug TWiki plugins
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论