[VulnWatch] TWiki Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)



This is a security advisory for TWiki installations:

Unauthorized user may upload and execute arbitrary
scripts such as PHP and server side include scripts.

TWiki is an enterprise collaboration platform. It is
a Structured Wiki, typically used to run a project
development space, a document management system, a
knowledge base, or any other groupware tool. Users
without programming skills can create web
applications. Developers can extend the functionality
of TWiki with Plugins.


TOC:

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfixes
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links


---++ Vulnerable Software Version

* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
* TWikiRelease04Sep2004 -- TWiki20040904.zip
* TWikiRelease03Sep2004 -- TWiki20040903.zip
* TWikiRelease02Sep2004 -- TWiki20040902.zip
* TWikiRelease01Sep2004 -- TWiki20040901.zip
* TWikiRelease01Feb2003 -- TWiki20030201.zip
* TWikiRelease01Dec2001 -- TWiki20011201.zip
* TWikiRelease01Dec2000 -- TWiki20001201.zip


---++ Attack Vectors

The TWiki upload filter already prevents executable scripts
such as .php, .php1, .phps, .pl from potentially getting
executed by appending a .txt suffix to the uploaded
filename. However, PHP and some other types allows
additional file suffixes, such as .php.en, .php.1, and
.php.2. TWiki does not check for these suffixes, e.g. it is
possible to upload php scripts with such suffixes without
the .txt filename padding.

Properly configured TWiki sites that do not allow script
execution in the pub directory are not affected.


---++ Impact

Any version of TWiki since 01-Dec-2000 (and any other web
based application that allows uploading of files which can
be access directly from the webserver afterwards) is
subject to attacks if the webserver has not been setup to
not allow execution of scripts and programs.


---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:

* Severity 1 issue: The web server can be compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-3336 [4] to this vulnerability.


---++ Details

How to reproduce - PHP example

* Create a small file phpinfo.php.1 which only contains
this one line script:
<? phpinfo(); ?>
* Upload this file to a TWiki topic.
* Add this text to the TWiki topic:
%ATTACHURL%/phpinfo.php.1
* Click on the link to phpinfo.php.1
* If your pub directory is not secured against running
PHP scrips you will see a webpage with all sorts of
details about your Apache and PHP. If your pub
directory is secure you will only see
<? phpinfo(); ?>

How to reproduce - Server Side Include example

* Create a small file serverside.shtml which only
contains this one line script:
<!--#exec cmd="ls" -->
* Upload this file to a TWiki topic.
* Add this text to the TWiki topic:
%ATTACHURL%/serverside.shtml
* Click on the link to serverside.shtml
* If your pub directory is not secured against running
SSI scrips you will see a directory listing of the
files in the directory. If it is safe you will only
see a blank page.

Why this succeeds

Most Linux distributions are shipped with PHP enabled. PHP
is loaded as a shared object. Either in httpd.conf or a
file included from httpd.conf there are at least two lines
looking like this:

LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php

This causes any file with .php in the name to be regarded as
a PHP program. Most people think the .php is only working
when it is a suffix to a filename but it turns out that any
file with a filename that contains the string .php is
regarded a PHP program.

Same thing with server side includes and CGI script files.

The safest thing is to completely disable the execution of
any kind of script language in the pub directory tree of
your TWiki. TWiki provides the upload filter which renames
files with certain strings in the filename by appending
.txt. This is a 2nd level security measure and should not
be the only security measure.

The hotfix attached to this security alert contains updated
sample files for both Apache config file and .htaccess file
which disables execution of PHP scripts, SSI scripts and
CGI scripts in the pub directory.

The hotfix attached also changes the TWiki configuration so
that TWiki appends .txt to the filename when you upload
files that contain a string used by Apache extensions such
as PHP and Python. However this assumes that .txt is setup
in Apache to be plain text files.


---++ Countermeasures

* Apply the hotfix indicated below. The hotfix is only
effective when both the uploadFilter and the Apache
configs are secured. And the fix secures against
execution of PHP, CGI and SSI type scripts. If you
have installed other types of Apache modules that can
execute files then you must ensure this is disabled
in the entire pub directory tree.
* Upgrade to the latest patched production release
TWikiRelease04x00x04 [5] (TWiki-4.0.4.zip)
* Restrict access to the web pages served by TWiki.
* Check your server for intrusion by checking already
uploaded files that have names that could be
executable files. Look for a user called ShubaShuba
already known to have attacked TWiki installations.


---++ Hotfixes

This next sections describes:

* How to prevent script execution in the pub directory
using httpd.
* If you do not have access to the Apache config file,
an alternative approach is described using .htaccess
file.
* A section describing how to prevent server side
includes in the pub directory
* Description of the improved upload filter
* Hotfix downloads for TWiki 4 (containing all of above
fixes)
* Hotfix description for earlier versions of TWiki

---+++ Preventing script execution in the pub directory
using httpd config

In order to prevent execution of any kind of scripts in the
pub directory, your Apache config should contain these
directives:

<Directory "/home/httpd/twiki/pub">
Options None
AllowOverride None
Allow from all

# If you have PHP4 or PHP5 installed make sure the directive
# below is enabled. If you do not have PHP installed you
# will need to comment out the directory below to avoid
# errors:
php_admin_flag engine off

# If you have PHP3 installed make sure the directive below is
# enabled:
#php3_engine off

# This line will redefine the mime type for the most common
# types of scripts. It will also deliver HTML files as if
# they are text files
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl
.py .cgi
</Directory>

---+++ Preventing script execution in the pub directory
using .htaccess file

When you do not have access to the Apache config files
(typically with shared hosting and no root access) you will
control access to directories using .htaccess files. In the
root of the pub directory you must put a .htaccess file with
minimum this protection:

# Sample '.htaccess' file for 'pub' subdirectory

# Allow all access
Allow from all

# Deny people from looking at the index and running SSI and CGI
Options None

# We need to protect the entire pub directory tree against any
# kind of script execution. TWiki has a renaming protection
# scheme that alters certain file names to prevent script
# execution but it may not be 100% safe only to rely on this.
# The safest protection is to disabled all scripting.

# If you have PHP4 or PHP5 installed make sure the directive
# below is enabled. If you do not have PHP installed you will
# need to comment out the directory below to avoid errors:
php_flag engine off

# If you have PHP3 installed make sure the directive below is
# enabled:
#php3_engine off

# This line will redefine the mime type for the most common
# types of scripts. It will also deliver HTML files as if they
# are text files:
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

---+++ Preventing Server Side Includes and CGI scripts in
the pub directory

Many Linux distributions are shipped with a httpd.conf that
enables server side includes of files with suffix .shtml or
.shtml.foo where foo can be any string.

In httpd.conf you often find settings that enable server
side includes generally.

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

And similar you may have enabled execution of CGI scripts
for files with suffix .cgi and/or .pl

AddHandler cgi-script .cgi
AddHandler cgi-script .pl

And unfortunately the example of a TWiki httpd config file
that has been in the TWiki releases for years has shown the
pub directory setup with Options +Includes and it should
have said Options None so that both server side includes and
CGI would be disabled in the entire pub directory.

It is important that the httpd config or .htaccess files in
any TWiki installations are checked and if needed corrected
so that server side includes are disabled. In the examples
in the previous section the Options directive are shown
correctly as they should be.

---+++ Renaming dangerous filenames when uploading

The attached hotfix alters the regular expression used for
deciding when to append the suffix .txt to the filename of
an uploaded file.

The new regex for {UploadFilter} in TWiki-4.0.x's configure
is:

(?-xism:^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))$)

For earlier versions of TWiki $uploadFilter in TWiki.cfg
should be set to:

$uploadFilter =
"^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"

---+++ Hotfix for TWiki 4.0.0, 4.0.1, 4.0.2 and TWiki 4.0.3

A hotfix for every released versions of TWiki 4.0.x has been
attached to the security alert topic,
http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads

* CVE-2006-3336-hotfix-twiki400.zip for TWiki 4.0.0
* CVE-2006-3336-hotfix-twiki401.zip for TWiki 4.0.1
* CVE-2006-3336-hotfix-twiki402.zip for TWiki 4.0.2
* CVE-2006-3336-hotfix-twiki403.zip for TWiki 4.0.3

The hotfix updates the lib/TWiki.cfg file so that .txt gets
appended when you upload the most common scripts.

It also contains the updated template files for apache
config and .htaccess. You will however need to update your
actual Apache config file or .htaccess file on your TWiki
installation. When you update the Apache config files you
must remember to restart the Apache server
(sudo ./apachectl grace).

---+++ Hotfix for TWiki 04-Sep-2004 and earlier

In order to protect earlier version of TWiki do the
following:

* In lib/TWiki.cfg find the setting $uploadFilter and
change it to:
$uploadFilter =
"^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))\$"
* Download the CVE-2006-3336-hotfix-twiki403.zip from the
security alert topic [1] and use twiki_httpd_conf.txt
and pub-htaccess.txt files as a template to update your
current Apache configuration.


---++ Authors and Credits

* Credit to Tom McAdam for disclosing the issue to the
twiki-security mailing list
* TWiki:Main.KennethLavrsen for creating a hotfix
* TWiki:Main.KennethLavrsen for creating TWiki release
4.0.4
* TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
for creating the advisory


---++ Action Plan with Timeline

* 2006-06-29: User discloses vulnerability to
twiki-security
* 2006-07-01: Developer verifies issue
* 2006-07-03: Developer creates fix
* 2006-07-04: Developer creates hotfix
* 2006-07-04: Developer creates TWiki release 4.0.4
* 2006-07-05: Send alert to twiki-announce mailing list
and twiki-dev mailing list
* 2006-07-05: Publish advisory on TWiki.org
* 2006-07-05: Release TWiki 4.0.4 on TWiki.org
* 2006-07-07: Issue a public security advisory


---++ Feedback

Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads


---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3336
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04


-- Contributors: PeterThoeny, KennethLavrsen - 07 Jul 2006


--
* Peter Thoeny Peter@xxxxxxxxxxxxxxxxxxx
* http://StructuredWikis.com - bringing wikis to the workplace
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (_) ask first (x) public



Relevant Pages