Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

plain text

Security Alert: A normal user can alter topic preferences using the "Edit topic preference settings" feature and save them even though he has no privileges to edit the topic

This advisory alerts you of a potential security issue with your Foswiki installation. A bug was introduced in Foswiki 1.1.0 that allows any user to edit and save through the "More Topic Actions" -> "Edit topic preference settings".

This has a serious consequence as it allows the user to change the settings that defines access rights to the topic. This includes the important AdminGroup topic in the Main web. Any normal user can exploit this to elevate himself to administrator.

It is therefore important that any Foswiki 1.1.0 or 1.1.1 installation is upgraded to 1.1.2 immediately. You can also apply the patch provided with this advisory.

Severity Level

Severity 2 issue: The Foswiki installation is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-4215 to this vulnerability.

Vulnerable Software Versions

• Foswiki 1.1.0, Foswiki 1.1.1

Fixed in Foswiki 1.1.2

Attack Vectors

The most serious explot is elevation to administrator and involves these easy steps.

• Register as a normal user on the Foswiki
• Navigate to Main.AdminGroup
• Edit the topic preferences adding yourself to the ALLOWTOPICCHANGE and GROUP preferences
• You are now member of the administrator group

Impact

Administrators can view and edit any page on the Foswiki installation.

Countermeasures

• Apply hotfix (see patch below).
• Upgrade to the latest patched production FoswikiRelease01x01x02.

Authors and Credits

Hotfix for Foswiki Production Release 1.1.0-1.1.1

This is the patch that fixes the issue

Modified: branches/Release01x01/core/lib/Foswiki/UI/Manage.pm
===================================================================
--- branches/Release01x01/core/lib/Foswiki/UI/Manage.pm   2010-11-09 18:43:46 UTC (rev 9919)
+++ branches/Release01x01/core/lib/Foswiki/UI/Manage.pm   2010-11-09 18:45:06 UTC (rev 9920)
@@ -440,6 +440,8 @@
     my $settings    = $query->param('text');
     my $originalrev = $query->param('originalrev');
 
+    Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
+
     $newTopicObject->remove('PREFERENCE');    # delete previous settings
         # Note: $Foswiki::regex{setVarRegex} cannot be used as it requires
         # use in code that parses multiline settings line by line.
@@ -464,8 +466,6 @@
         }
     }
 
-    Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
-
     try {
         $newTopicObject->save( minor => 1, forcenewrevision => 1 );
     }

The easiest way to apply this patch is to download the attached already patched source file.

Simply download and replace lib/Foswiki/UI/Manage.pm with Patched Manage.pm

Action Plan with Timeline

• 2010-11-09 - User discloses issue in support question. (Enrik Guenter)
• 2010-11-09 - Support question is blocked for public view within a few hours (George Clark)
• 2010-11-09 - Developer verifies issue (George Clark)
• 2010-11-09 - Developer fixes code (Crawford Currie)
• 2010-11-09 - Security team triage the issue (Kenneth Lavrsen)
• 2010-11-09 - Security team creates advisory with hotfix (Kenneth Lavrsen)
• 2010-11-10 - Release Manager builds patch release (Kenneth Lavrsen)
• 2010-11-10 - Send alert to foswiki-announce and foswiki-discuss mailing lists (Kenneth Lavrsen)
• 2010-11-12 - Publish advisory in Support web and update all related topics (Kenneth Lavrsen)
• 2010-11-12 - Reference to public advisory on Download page and Known Issues (Kenneth Lavrsen)
• 2010-11-12 - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) (Kenneth Lavrsen)

Action plan fully completed 2010-11-12

Kenneth Lavrsen

Release Manager and Leader of the Foswiki Security Task Team