News & Media
Become a member »
» ESB-2008.0878 -- [Win][UNIX/Linux] -- TWiki command ...
ESB-2008.0878 -- [Win][UNIX/Linux] -- TWiki command execution vulnerability
19 September 2008
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0878 -- [Win][UNIX/Linux] TWiki command execution vulnerability 19 September 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TWiki Publisher: US-CERT Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Read-only Data Access Access: Remote/Unauthenticated CVE Names: CVE-2008-4112 Original Bulletin: http://www.kb.cert.org/vuls/id/362012 Revision History: September 19 2008: Added CVE Reference September 16 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#362012 TWiki command execution vulnerability Overview The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files. I. Description TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script. There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide. Public exploit code has been released that targets this vulnerability. TWiki servers typically use predictable URLs and vulnerable systems may be found by querying search engines. II. Impact A remote attacker may be able to view arbitrary configuration files on a vulnerable system. III. Solution TWiki versions 4.2.0 and higher The TWiki team has provided a configuration script to address this issue. The script is available here: http://twiki.org/p/pub/Codev/TWikiRelease04x02x03/configure TWiki versions prior to 4.2.0 Refer to step 8 in the Twiki installation guide. Make the configure script not executable Removing, renaming or marking the TWiki configure script (twiki/bin/configure) as not executable will prevent this vulnerability from being exploited. Restrict access Restricting access by using a web application or string-matching firewall to block URLs that contain the string /bin/configure may partially mitigate this vulnerability. This workaround is unlikely to be effective in many cases, such as when the server uses the https protocol. Systems Affected Vendor Status Date Updated TWiki Vulnerable 12-Sep-2008 References http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide#8 http://twiki.org/cgi-bin/view/TWiki.ApacheConfigGenerator http://twiki.org/p/pub/Codev/TWikiRelease04x02x03/configure http://www.milw0rm.com/exploits/6269 Credit Thanks to the TWiki team for information that was used in this report. This document was written by Ryan Giobbi. Other Information Date Public 12/09/2008 Date First Published 12/09/2008 15:00:10 Date Last Updated 12/09/2008 CERT Advisory CVE-ID(s) NVD-ID(s) US-CERT Technical Alerts Metric 38.25 Document Revision 6 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSNL9/ih9+71yA2DNAQKZ1gP+OOZHdFN3tdezQMhV/jBCcmD0LNzQ8mdb 8sJl0DZEZhIuEJMT+8Pa04z8CiJ/WJr7nSRilVBCgYlHpk0fsWaGqtinteeOroUs 2sIW7ZWuNpAJ0CfqPH1Ktz8rDOE6H4DFdsGuO/Btvjv9WTFgGZgY4kwck93x4Nrv r6b3cpO3LFQ= =3Z2k -----END PGP SIGNATURE-----
Comments? Click here