[VulnWatch] TWiki Security Alert: Arbitrary code execution in session files (CVE-2007-0669)

This is a security advisory for TWiki installations:

Local users may cause TWiki to execute arbitrary code
by creating CGI session files.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki 4.x
* Hotfix for older TWikis using SessionPlugin
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links

---++ Vulnerable Software Version

* TWikiRelease04x01x00 -- TWiki-4.1.0.zip
* TWikiRelease04x00x05 -- TWiki-4.0.5.zip
* TWikiRelease04x00x04 -- TWiki-4.0.4.zip
* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
* Any previous TWiki version using SessionPlugin [6]

---++ Attack Vectors

Write access to global /tmp directory (or CGI session
directory, if different). This can be either directly
on file level (such as on a shared host), or via an
HTTP vulnerability of a third party web application.

---++ Impact

Under the assumption that an intruder has write access
to the /tmp directory (or CGI session directory), such
as with a vulnerability of another web application
running on the same server, it is possible to execute
arbitrary Perl code with the privileges of the web
server process, such as user "nobody".

---++ Severity Level

The TWiki SecurityTeam [2] triaged this issue as
documented in TWikiSecurityAlertProcess [3] and
assigned the following severity level:

* Severity 2 issue: The TWiki installation is

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has
assigned the name CVE-2007-0669 [4] to this

---++ Details

Your site may be vulnerable if:

1. You run one of the vulnerable TWiki versions, and
2. You have *not* reconfigured the CGI session
directory $cfg{Sessions}{Dir} to a private

In particular, disabling the CGI session tracking via
$cfg{UseClientSessions} is *not* sufficient to protect
against this vulnerability, since there is session
cleanup code that runs regardless of whether sessions
are enabled or not.

---++ Countermeasures

* Restrict access to the TWiki server on file level
and HTTP.
* If on a shared host, move TWiki to a dedicated
* Upgrade to TWiki Release 4.1.1 [5] (recommended)
* Apply a hotfix indicated below.

NOTE: The hotfix is known to prevent the current
attacks, but it might not be a complete fix.

---++ Hotfix for TWiki 4.x

In configure, change $cfg{Sessions}{Dir} to a private
directory (one which is only readable and writable by
the user your web server is running as, and is not
served as web content to remote users). The recommended
fix is to make a $cfg{DataDir}/session_tmp directory
owned by the user Apache is running as, change its
permissions to 0700 (drwx------), and set
$cfg{Sessions}{Dir} to that directory.

Upgrading to TWiki 4.1.1 is recommended; the session
files are cleaned up by timestamp, i.e. no longer
executed. TWiki 4.1.1 will create and use the
/tmp/twiki directory by default to store the session

---++ Hotfix for older TWikis using SessionPlugin

This section details the attack vectors, details, and
countermeasures for this vulnerability as it applies
to the SessionPlugin [6]. This section does not apply
to TWiki versions 4.0 and up, which use built-in
session tracking.

Vulnerable software version

* Plugins.SessionPlugin 1.0 -- SessionPlugin.zip
(attachment versions 1-5)
* Plugins.SessionPlugin 2.0-2.992 --
SessionPlugin.zip (attachment versions 6-8)

Attack Vectors

* For SessionPlugin 1.000:
* Write access to the $cfg{DataDir}/.session
directory, which in some cases may be created
world-writable for local users.
* For SessionPlugin 2.0-2.992:
* Write access to global /tmp directory. This
can be either directly on file level (such as
shared host), or HTTP vulnerability of a third
party web application.


* For SessionPlugin 1.000 (attachment versions 1-5
from the SessionPlugin topic):
* Ensure that the $cfg{DataDir}/.session directory
exists, is owned by the user Apache is running
as, and has 0700 permissions (drwx------).
* For SessionPlugin 2.9 (attachment versions 6-8 from
the SessionPlugin topic):
* Upgrade to Plugins.SessionPlugin 2.992
(attachment version 9 from the SessionPlugin

---++ Authors and Credits

* Credit to Andrew Moise for disclosing the issue to
the twiki-security mailing list
* Kenneth Lavrsen and Andrew Moise for creating the
* Andrew Moise and Peter Thoeny for creating the

---++ Action Plan with Timeline

* 2007-01-28: User discloses vulnerability to
* 2007-01-29: Developer verifies issue
* 2007-01-31: Developer fixes code and creates
* 2007-02-05: Security team creates advisory
* 2007-02-06: Send alert to
TWiki-Announce mailing list and TWiki-Dev mailing list
* 2007-02-08: Publish advisory in Codev web and
update all related topics
* 2007-02-08: Issue a public security advisory

---++ Feedback

Please provide feedback at the security alert topic [1],

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2007-0669
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0669
[5]: http://twiki.org/cgi-bin/view/Codev/DownloadTWiki
[6]: http://twiki.org/cgi-bin/view/Plugins/SessionPlugin

-- Contributors: Andrew Moise, Kenneth Lavrsen, Peter
Thoeny - 08 Feb 2007

* Peter Thoeny Peter AT StructuredWikis DOT com
* http://StructuredWikis.com - bringing wikis to the workplace
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (_) ask first (x) public