You are here: Foswiki>Support Web>SecurityAlert-CVE-2010-4215 (10 Jan 2013, GeorgeClark)Edit Attach

Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

plain text

Security Alert: A normal user can alter topic preferences using the "Edit topic preference settings" feature and save them even though he has no privileges to edit the topic

This advisory alerts you of a potential security issue with your Foswiki installation. A bug was introduced in Foswiki 1.1.0 that allows any user to edit and save through the "More Topic Actions" -> "Edit topic preference settings".

This has a serious consequence as it allows the user to change the settings that defines access rights to the topic. This includes the important AdminGroup topic in the Main web. Any normal user can exploit this to elevate himself to administrator.

It is therefore important that any Foswiki 1.1.0 or 1.1.1 installation is upgraded to 1.1.2 immediately. You can also apply the patch provided with this advisory.

Severity Level
MITRE Name for this Vulnerability
Vulnerable Software Versions
Attack Vectors
Impact
Countermeasures
Authors and Credits
Hotfix for Foswiki Production Release 1.1.0-1.1.1
Action Plan with Timeline
Quick Links
Tools

Severity Level

Severity 2 issue: The Foswiki installation is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-4215 to this vulnerability.

Vulnerable Software Versions

Foswiki 1.1.0, Foswiki 1.1.1

Fixed in Foswiki 1.1.2

Attack Vectors

The most serious explot is elevation to administrator and involves these easy steps.

Register as a normal user on the Foswiki
Navigate to Main.AdminGroup
Edit the topic preferences adding yourself to the ALLOWTOPICCHANGE and GROUP preferences
You are now member of the administrator group

Impact

Administrators can view and edit any page on the Foswiki installation.

Countermeasures

Apply hotfix (see patch below).
Upgrade to the latest patched production FoswikiRelease01x01x02.

Authors and Credits

Hotfix for Foswiki Production Release 1.1.0-1.1.1

This is the patch that fixes the issue

Modified: branches/Release01x01/core/lib/Foswiki/UI/Manage.pm
===================================================================
--- branches/Release01x01/core/lib/Foswiki/UI/Manage.pm   2010-11-09 18:43:46 UTC (rev 9919)
+++ branches/Release01x01/core/lib/Foswiki/UI/Manage.pm   2010-11-09 18:45:06 UTC (rev 9920)
@@ -440,6 +440,8 @@
     my $settings    = $query->param('text');
     my $originalrev = $query->param('originalrev');
 
+    Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
+
     $newTopicObject->remove('PREFERENCE');    # delete previous settings
         # Note: $Foswiki::regex{setVarRegex} cannot be used as it requires
         # use in code that parses multiline settings line by line.
@@ -464,8 +466,6 @@
         }
     }
 
-    Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
-
     try {
         $newTopicObject->save( minor => 1, forcenewrevision => 1 );
     }

The easiest way to apply this patch is to download the attached already patched source file.

Simply download and replace lib/Foswiki/UI/Manage.pm with Patched Manage.pm

Action Plan with Timeline

2010-11-09 - User discloses issue in support question. (Enrik Guenter)
2010-11-09 - Support question is blocked for public view within a few hours (George Clark)
2010-11-09 - Developer verifies issue (George Clark)
2010-11-09 - Developer fixes code (Crawford Currie)
2010-11-09 - Security team triage the issue (Kenneth Lavrsen)
2010-11-09 - Security team creates advisory with hotfix (Kenneth Lavrsen)
2010-11-10 - Release Manager builds patch release (Kenneth Lavrsen)
2010-11-10 - Send alert to foswiki-announce and foswiki-discuss mailing lists (Kenneth Lavrsen)
2010-11-12 - Publish advisory in Support web and update all related topics (Kenneth Lavrsen)
2010-11-12 - Reference to public advisory on Download page and Known Issues (Kenneth Lavrsen)
2010-11-12 - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) (Kenneth Lavrsen)