Log in

Beat

Websites

Technisches

You are here: Beat » TWikiConfig

Konfiguration von TWiki

Hauptprogramm

Plugins

Patches 

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string  
+ length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

Weitere Issues

Datenübernahme aus Windoofs

  • fromdos
  • ev stimmt der username nicht mit dem das ganze im RCS gespeichert wurde (von Beat kommt system, ich schreibe root und das ganze muss unter www-data laufen. naja das Script beherscht nun auch das :)))
  • das kann aber noch nicht alles sein !!!! (leider)
  • mittlerweile gibts ein schoenes script, dass jedes File auscheckt und wieder eincheckt ….. …. nein es gibts sogar zwei Scripts !! (eines fuer data und eines fuer pub)
  • Ach ja.... das Script schreibt natuerlich alles ins RCS !! deshalb muessen anschliessend noch Verschiedene Dateien manuell kopiert werden ohne ins RCS zu gehen Beispiele sind:
    • .notify
    • .webstatistic (oder so !)
    • KoalaSkin Dateien
    • Bildchen für die Kopfzeilen

Security Patch (12.9.2005) 


> ---++ Vulnerable Software Version
>    * TWikiRelease02Sep2004 -- TWiki20040902.zip
>    * TWikiRelease01Sep2004 -- TWiki20040901.zip
>    * TWikiRelease01Feb2003 -- TWiki20030201.zip
>    * TWikiRelease01Dec2001 -- TWiki20011201.zip
>    * TWikiRelease01Dec2000 -- TWiki20001201.zip
>    * (FYI, recent DakarRleases are not affected)
> 
> 
> ---++ Attack Vectors
> 
> HTTP GET requests towards the Wiki server (typically port 80/TCP).
> Usually, no prior authentication is necessary.
> 
> Possibly also HTTP POST, but this is untested.
> 
> 
> ---++ Impact
> 
> An attacker is able to execute arbitrary shell commands with the
> privileges of the web server process, such as user nobody.
> 
> 
> ---++ Details
> 
> The TWiki revision control function uses a user supplied URL 
> parameter to compose a command line executed by the Perl backtick 
> (``) operator.
> 
> The URL parameter is not checked properly for shell metacharacters
> and is thus vulnerable to revision numbers containing pipes and 
> shell commands. Exploit is possible on topics with 2 or more 
> revisions.
> 
> Example URL path with exploited rev parameter:
> /cgi-bin/view/Main/WebHome?rev=2%20%7Cless%20/etc/group
> 
> If access to TWiki is not restricted by other means, attackers can
> use the revision function without prior authentication.
> 
> 
> ---++ Countermeasures
> 
>    * Apply hotfix (see patches below)
>       * NOTE: The hotfix is known to prevent the current attacks,  
>         but it might not be a complete fix
>    * Upgrade to the latest patched production TWikiRelease03Sep2004,
>      http://twiki.org/swd/TWiki20040903.zip or
>      http://twiki.org/swd/TWiki20040903.tar.gz
>       * NOTE: If you are running TWikiRelease02Sep2004, simply copy
>         the patched lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, 
>         lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your
>         installation
>    * Filter access to the web server
>    * Use the web server software to restrict access to the web pages
>      served by TWiki
> 
> 
> ---++ Authors and Credits
> 
>    * Credit to B4dP4nd4 (b4dp4nd4@gmail.com) for disclosing the issue
>      to the twiki-security@lists.sourceforge.net mailing list
>    * TWiki:Main.PeterThoeny, TWiki:CrawfordCurrie, TWiki:SvenDowideit 
>      for contributing to this advisory

> ---+++ Patch for TWiki Production Release 01-Feb-2003
> 
> diff -u lib/TWiki/Store.pm.orig lib/TWiki/Store.pm
> --- lib/TWiki/Store.pm.orig     Sat Jan  4 17:36:56 2003
> +++ lib/TWiki/Store.pm  Thu Sep  8 23:10:58 2005
> @@ -351,9 +351,11 @@
>      if( ! $theWebName ) {
>          $theWebName = $TWiki::webName;
>      }---++ Vulnerable Software Version
> 
> -
> -    $theRev =~ s/^1\.//o;
> 
> +    $theRev =~ s/r?1\.//o;  # cut 'r' and major
> +    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
> +
>      $topicHandler = _getTopicHandler( $theWebName, 
> $theTopic, $attachment ) if( ! $topicHandler );
>      my( $rcsOut, $rev, $date, $user, $comment ) = 
> $topicHandler->getRevisionInfo( $theRev );
> 
> diff -u bin/rdiff.orig bin/rdiff
> --- bin/rdiff.orig      Sat Feb  1 00:57:32 2003
> +++ bin/rdiff   Thu Sep  8 23:18:05 2005
> @@ -155,6 +155,9 @@
>          if( ! $rev2 ) { $rev2 = 0; }
>          $rev1 =~ s/r?1\.//go;  # cut 'r' and major
>          $rev2 =~ s/r?1\.//go;  # cut 'r' and major
> +        # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
> +        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
>          if( $rev1 < 1 )       { $rev1 = $maxrev; }
>          if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
>          if( $rev2 < 1 )       { $rev2 = 1; }
> diff -u bin/view.orig bin/view
> --- bin/view.orig       Thu Jan 30 00:21:25 2003
> +++ bin/view    Thu Sep  8 23:13:47 2005
> @@ -123,6 +123,8 @@
>          writeDebug( "maxrev = $maxrev" );
>          if( $rev ) {
>              $rev =~ s/r?1\.//go;  # cut 'r' and major
> +            # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
>              if( $rev < 1 )       { $rev = 1; }
>              if( $rev > $maxrev ) { $rev = $maxrev; }
>          } else {
> diff -u bin/viewfile.orig bin/viewfile
> --- bin/viewfile.orig   Sun Jan  5 00:36:54 2003
> +++ bin/viewfile        Thu Sep  8 23:14:54 2005
> @@ -63,6 +63,9 @@
>      my $fileName = $query->param( 'filename' );
> 
>      my $rev = $query->param( 'rev' ) || "";
> +    $rev =~ s/r?1\.//o;  # cut 'r' and major
> +    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
> +    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
>      my $topRev = &TWiki::Store::getRevisionNumber( $webName, 
> $topic, $fileName );
> 
>      if( ( $rev ) && ( $rev ne $topRev ) ) {
>

Security Patch (26.9.2005) 

> * Patch for TWiki Production Release 01-Feb-2003:

--- lib/TWiki/Store.pm.orig2      Thu Sep  8 23:10:58 2005
+++ lib/TWiki/Store.pm    Tue Sep 20 17:19:49 2005
@@ -278,7 +278,9 @@
     my( $theWeb, $theTopic, $theRev ) = @_;
     my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

-    $theRev =~ s/^1\.//o;
+    $theRev =~ s/^r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+    $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
     return $topicHandler->getRevision( $theRev );
 }

@@ -288,7 +290,9 @@
    my ( $theWeb, $theTopic, $theAttachment, $theRev ) = @_;

    my $topicHandler = _getTopicHandler( $theWeb, $theTopic, $theAttachment );
-   $theRev =~ s/^1\.//o;
+   $theRev =~ s/^r?1\.//o;  # cut 'r' and major
+   # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+   $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
    return $topicHandler->getRevision( $theRev );
 }

@@ -352,9 +356,9 @@
         $theWebName = $TWiki::webName;
     }

-    $theRev =~ s/r?1\.//o;  # cut 'r' and major
+    $theRev =~ s/^r?1\.//o;  # cut 'r' and major
     # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
+    $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );

     $topicHandler = _getTopicHandler( $theWebName, $theTopic, $attachment ) if( ! $topicHandler );
     my( $rcsOut, $rev, $date, $user, $comment ) = $topicHandler->getRevisionInfo( $theRev );
--- bin/rdiff.orig2 Thu Sep  8 23:18:05 2005
+++ bin/rdiff       Tue Sep 20 17:31:11 2005
@@ -156,8 +156,8 @@
         $rev1 =~ s/r?1\.//go;  # cut 'r' and major
         $rev2 =~ s/r?1\.//go;  # cut 'r' and major
         # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
-        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
+        $rev1 = $maxrev unless( $rev1 =~ s/^.*?([0-9]+).*$/$1/so );
+        $rev2 = $maxrev unless( $rev2 =~ s/^.*?([0-9]+).*$/$1/so );
         if( $rev1 < 1 )       { $rev1 = $maxrev; }
         if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
         if( $rev2 < 1 )       { $rev2 = 1; }
--- bin/view.orig2  Thu Sep  8 23:13:47 2005
+++ bin/view        Tue Sep 20 17:31:33 2005
@@ -124,7 +124,7 @@
         if( $rev ) {
             $rev =~ s/r?1\.//go;  # cut 'r' and major
             # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+            $rev = $maxrev unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
             if( $rev < 1 )       { $rev = 1; }
             if( $rev > $maxrev ) { $rev = $maxrev; }
         } else {
--- bin/viewfile.orig2      Thu Sep  8 23:14:54 2005
+++ bin/viewfile    Tue Sep 20 17:31:54 2005
@@ -65,7 +65,7 @@
     my $rev = $query->param( 'rev' ) || "";
     $rev =~ s/r?1\.//o;  # cut 'r' and major
     # Fix for Codev.SecurityAlertExecuteCommandsWithRev
-    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
+    $rev = "" unless( $rev =~ s/^.*?([0-9]+).*$/$1/so );
     my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic, $fileName );

     if( ( $rev ) && ( $rev ne $topRev ) ) {
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding wiki.doebe.li? Send feedback
This page was cached on 08 Jun 2025 - 12:42.