Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce
list - details at MailingLists
plain text
Security Alert: A normal user can alter topic preferences using the "Edit topic preference settings" feature and save them even though he has no privileges to edit the topic
This advisory alerts you of a potential security issue with your Foswiki installation. A bug was introduced in Foswiki 1.1.0 that allows any user to edit and save through the "More Topic Actions" -> "Edit topic preference settings".
This has a serious consequence as it allows the user to change the settings that defines access rights to the topic. This includes the important AdminGroup topic in the Main web. Any normal user can exploit this to elevate himself to administrator.
It is therefore important that any Foswiki 1.1.0 or 1.1.1 installation is upgraded to 1.1.2 immediately. You can also apply the patch provided with this advisory.
Severity Level
Severity 2 issue: The Foswiki installation is compromised
The severity level was assigned by the Foswiki
SecurityTaskTeam as documented in
SecurityAlertProcess
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2010-4215 to this vulnerability.
Vulnerable Software Versions
Fixed in
Foswiki 1.1.2
Attack Vectors
The most serious explot is elevation to administrator and involves these easy steps.
- Register as a normal user on the Foswiki
- Navigate to Main.AdminGroup
- Edit the topic preferences adding yourself to the ALLOWTOPICCHANGE and GROUP preferences
- You are now member of the administrator group
Impact
Administrators can view and edit any page on the Foswiki installation.
Countermeasures
Authors and Credits
Hotfix for Foswiki Production Release 1.1.0-1.1.1
This is the patch that fixes the issue
Modified: branches/Release01x01/core/lib/Foswiki/UI/Manage.pm
===================================================================
--- branches/Release01x01/core/lib/Foswiki/UI/Manage.pm 2010-11-09 18:43:46 UTC (rev 9919)
+++ branches/Release01x01/core/lib/Foswiki/UI/Manage.pm 2010-11-09 18:45:06 UTC (rev 9920)
@@ -440,6 +440,8 @@
my $settings = $query->param('text');
my $originalrev = $query->param('originalrev');
+ Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
+
$newTopicObject->remove('PREFERENCE'); # delete previous settings
# Note: $Foswiki::regex{setVarRegex} cannot be used as it requires
# use in code that parses multiline settings line by line.
@@ -464,8 +466,6 @@
}
}
- Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
-
try {
$newTopicObject->save( minor => 1, forcenewrevision => 1 );
}
The easiest way to apply this patch is to download the attached already patched source file.
Simply download and replace
lib/Foswiki/UI/Manage.pm
with
Patched Manage.pm
Action Plan with Timeline
- 2010-11-09 - User discloses issue in support question. (Enrik Guenter)
- 2010-11-09 - Support question is blocked for public view within a few hours (George Clark)
- 2010-11-09 - Developer verifies issue (George Clark)
- 2010-11-09 - Developer fixes code (Crawford Currie)
- 2010-11-09 - Security team triage the issue (Kenneth Lavrsen)
- 2010-11-09 - Security team creates advisory with hotfix (Kenneth Lavrsen)
- 2010-11-10 - Release Manager builds patch release (Kenneth Lavrsen)
- 2010-11-10 - Send alert to foswiki-announce and foswiki-discuss mailing lists (Kenneth Lavrsen)
- 2010-11-12 - Publish advisory in Support web and update all related topics (Kenneth Lavrsen)
- 2010-11-12 - Reference to public advisory on Download page and Known Issues (Kenneth Lavrsen)
- 2010-11-12 - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) (Kenneth Lavrsen)
Action plan fully completed 2010-11-12
Kenneth Lavrsen
Release Manager and Leader of the Foswiki Security Task Team