[hackmeeting] Cambio de wiki (Tercer round)
Lars Gonçalves
strafwetboek en causaencantada.org
Lun Nov 29 18:39:17 CET 2004
sip; como dije, la del Twiki es realmente es una comunidad muy activa. dá
gusto trabajar con gente así.
Un saúdo,
Lars.
O 29/11/2004, "Txema" <txema en xarxaneta.org> escribiu:
>Saludos:
>
>al hilo del debate sobre un nuevo wiki para el hm, copy-pego abajo un
>anuncio de vulnerabilidad del twiki que me acaba de llegar ...
>
>txao !
>txema.
>
>------------------------------------------------------------------------
>Dear TWiki User,
>
>We are emailing you about a high priority security vulnerability in
>TWiki. Known TWiki site administrators have already been alerted, and
>a public security advisory has been sent out. However, we did not reach
>all administrators, and we now know that some public TWiki sites have
>been cracked.
>
>We are taking the unusual step of emailing a broader TWiki audience
>to alert you and to announce an improved security alert process with a
>mailing list. We will only be doing this once; all future security alerts
>will be sent solely to those subscribed to the new opt-in mailing list.
>You have recieved this mail because you:
>
> * are a registered user at TWiki.org, or
> * requested TWiki in the past and asked in the form to be
> notified of new releases, or
> * run a public TWiki site that Google could find
>
>If you do not use TWiki, please ignore this email. If you don't
>administer your TWiki site, or started a site now administered by
>someone else, please pass it to the current TWiki site administrator.
>
>Even if you have fixed this vulnerability, you are strongly recommended
>to join the new low-volume security announcement email list for TWiki
>at http://lists.sourceforge.net/lists/listinfo/twiki-announce
>
>Since this vulnerability is publicly announced and is being actively
>exploited, you are encouraged to post this to email lists that you
>think may be relevant. The alert has been sent out on some general
>security email lists already, but without the TWiki security email
>list information.
>
>Table of Contents:
>
> * Summary
> * Vulnerable Software Versions
> * Attack Vectors
> * Impact
> * Details
> * Countermeasures
> * What to do if You Think You May Have Been Cracked
> * TWiki Announce And Security Email List
> * New TWiki Release
> * Authors And Credits
> * How To Contact Us
> * Hotfix
>
>---++ Summary
>
>TWiki's search feature allows arbitrary shell command execution - a web
>server running TWiki can be compromised remotely.
>
>
>---++ Vulnerable Software Versions
>
> * TWiki Production Release 01-Sep-2004 -- TWiki20040901.zip
> * TWiki Production Release 01-Feb-2003 -- TWiki20030201.zip
> * TWiki Production Release 01-Dec-2001 -- TWiki20011201.zip
> * TWiki Production Release 01-Dec-2000 -- TWiki20001201.zip
> * Subversion repository linked from
> http://twiki.org/cgi-bin/view/Codev/SubversionReadme
> (up to and including revision 3224, fixed in revision 3225)
> * All alpha and beta releases prior to 12 Nov 2004
>
>---++ Attack Vectors
>
>HTTP GET requests towards the Wiki server (typically port 80/TCP).
>Usually, no prior authentication is necessary. Possibly also HTTP POST,
>but this is untested.
>
>
>---++ Impact
>
>A remote attacker is able to execute arbitrary shell commands with the
>privileges of the web server process, such as user nobody.
>
>
>---++ Details
>
>The TWiki search function uses a user supplied search string to
>compose a command line executed by the Perl backtick (``) operator.
>
>The search string is not checked properly for shell metacharacters
>and is thus vulnerable to search string containing quotes and shell
>commands.
>
>An example search string would be: "test_vulnerability '; ls -la'"
>
>If access to TWiki is not restricted by other means, attackers can
>use the search function without prior authentication.
>
>More details can be found at
>http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
>
>
>---++ Countermeasures
>
>The main countermeasure is to apply the hotfix (see patches at end of
>this e-mail).
>
>Temporary countermeasures if hotfix cannot be applied immediately:
>
> * Filter access to the web server
> * Use the web server software to restrict access to the web pages
> served by TWiki
> * For sites accessible to search engines, use Google temporarily
> instead of normal searching, and remove execute permissions from
> the 'search' script. See details at
> http://twiki.org/cgi-bin/view/Codev/GoogleYourTWiki
>
>
>---++ What to do if You Think You May Have Been Cracked
>
>If your TWiki site is publicly accessible (on the Internet) there is
>a risk that your site has been cracked. Visit
>
>http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchHackReports
>to learn how other people detected intrisions and found cracking
>attempts.
>
>If your TWiki site was cracked and runs on Linux kernel 2.4, you should
>also check for the installation of rootkits on your server - see
>http://www.google.com/search?hl=en&q=rootkit+detect for some links,
>e.g. http://www.chkrootkit.org/
>
>
>---++ TWiki Announce And Security Email List
>
>A new email list has been created to announce new TWiki releases and
>to distribute security alerts quickly in the future. This low-volume
>list is the best way to find out about and fix any future security
>issues. It is highly recommended that TWiki site administrators sign
>up to this now at http://lists.sourceforge.net/lists/listinfo/twiki-announce
>- you can find more details at
>http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
>
>In addition, a TWiki security team has been created - any new
>vulnerability should be reported to this team, which will ensure the
>vulnerability is analysed, fixed, and patches + new releases distributed
>as quickly as possible. Please see details at
>http://twiki.org/cgi-bin/view/Codev/SecurityTeam
>
>Our security alert process is documented at
>http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
>
>
>---++ New TWiki Release
>
>The latest TWiki Production Release 02-Sep-2004, aka CairoRelease,
>is available for download. It is a major release replacing version
>01-Feb-2003 and is proof against this security hole. You can download
>the new release from http://TWiki.org/download.html - however, you
>can of course just patch your current release if you prefer.
>
>Major changes since TWiki 01-Feb-2003 release:
>
> * Automatic upgrade script, and easier first-time installation
> * Attractive new skins, using a standard set of CSS classes, and
> a skin browser to help you choose
> * New easier-to-use save options
> * Many improvements to SEARCH
> * Improved support for internationalisation
> * Better topic management screens
> * More pre-installed Plugins: CommentPlugin, EditTablePlugin,
> RenderListPlugin, SlideShowPlugin, SmiliesPlugin,
> SpreadSheetPlugin, TablePlugin
> * Improved Plugins API and more Plugin callbacks
> * Better support for different authentication methods
> * Many user interface and usability improvements
> * And many, many more enhancements
>
>
>---++ Authors And Credits
>
>Martin Cleaver, Crawford Currie, Richard Donkin, Sven Dowideit, Markus
>Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Colas Nahaboo, Hans
>Ulrich Niedermann, Andreas Thienemann, Peter Thoeny and Florian Weimer
>all contributed to this advisory.
>
>
>---++ How To Contact Us
>
>Please do not reply to this e-mail. Please contact:
>
> * TWiki Announcement FeedBack <twiki-announce-fbk en lists.sourceforge.net> or
> Peter.Thoeny en attglobal.net if you have questions or concerns regarding this
> announcement
> * http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
> for feedback on this vulnerability
> * twiki-security en lists.sourceforge.net if you discovered a vulnerability
> * http://twiki.org/cgi-bin/view/Support if you have support questions
> * http://twiki.org/cgi-bin/view/Codev to get involved in the community
> * irc://irc.freenode.net/twiki for realtime communication with fellow
> TWiki users and administrators. Details at
> http://twiki.org/cgi-bin/view/Codev/TWikiIRC
>
>Best regards,
>
>TWiki Security Team
>
>---++ Hotfix
>
>----------------------------------------------------------------------------
>Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004:
>----------------------------------------------------------------------------
>
>*** TWiki20040901/Search.pm 2004-11-12 11:54:47.000000000 -0800
>--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
>***************
>*** 434,439 ****
>--- 434,446 ----
> my $tempVal = "";
> my $tmpl = "";
> my $topicCount = 0; # JohnTalintyre
>+
>+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
>+ # vulnerability, search: "test_vulnerability '; ls -la'"
>+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
>+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $(
>... )
>+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
>+
> my $originalSearch = $theSearchVal;
> my $renameTopic;
> my $renameWeb = "";
>
>----------------------------------------------------------------------------
>Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003:
>----------------------------------------------------------------------------
>
>*** TWiki20030201/Search.pm 2004-11-12 12:11:52.000000000 -0800
>--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
>***************
>*** 135,140 ****
>--- 135,147 ----
> my $tempVal = "";
> my $tmpl = "";
> my $topicCount = 0; # JohnTalintyre
>+
>+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
>+ # vulnerability, search: "test_vulnerability '; ls -la'"
>+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
>+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $(
>... )
>+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
>+
> my $originalSearch = $theSearchVal;
> my $renameTopic;
> my $renameWeb = "";
>
>----------------------------------------------------------------------------
>Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001:
>----------------------------------------------------------------------------
>
>*** TWiki20011201/Search.pm 2004-11-12 12:15:55.000000000 -0800
>--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
>***************
>*** 133,138 ****
>--- 133,145 ----
> my $tempVal = "";
> my $tmpl = "";
> my $topicCount = 0; # JohnTalintyre
>+
>+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
>+ # vulnerability, search: "test_vulnerability '; ls -la'"
>+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
>+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $(
>... )
>+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
>+
> my $originalSearch = $theSearchVal;
> my $renameTopic;
> my $renameWeb = "";
>
>--------------------------------------------------------------------------
>Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000:
>--------------------------------------------------------------------------
>
>*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
>--- ./wikisearch.pm 2004-11-12 12:23:07.000000000 -0800
>***************
>*** 117,122 ****
>--- 117,129 ----
>
> my $tempVal = "";
> my $tmpl = "";
>+
>+ # fix for Codev.SecurityAlertExecuteCommandsWithSearch
>+ # vulnerability, search: "test_vulnerability '; ls -la'"
>+ $theSearchVal =~ s/(^|[^\\])([\'\`])/\\$2/g; # Escape ' and `
>+ $theSearchVal =~ s/[\@\$]\(/$1\\\(/g; # Defuse @( ... ) and $(
>... )
>+ $theSearchVal = substr($theSearchVal, 0, 1500); # Limit string length
>+
> if( $doBookView ) {
> $tmpl = readTemplate( "searchbookview" );
> } else {
>
>------------------------------------------------------------------------
>End patches
>------------------------------------------------------------------------
>
Más información sobre la lista de distribución HackMeeting