Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume
foswiki-announce list - details at MailingLists
Security Alert: User Registration process can be compromised through user registration.
A guest user can create a Main.UserRegistration topic which will override the default System.UserRegistration. A guest user can also create a Main.DefaultWebStatistics topic, which will be included into the WebStatistics pages.
Severity 2 issue: The Foswiki installation is compromised
The severity level was assigned by the Foswiki SecurityTaskTeam
as documented in SecurityAlertProcess
Vulnerable Software Versions
- Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1, Foswiki 2.1.4, Foswiki 2.1.4-RC1, Foswiki 2.1.4-RC2, Foswiki 2.1.4-RC3, Foswiki 2.1.5, Foswiki 2.1.5-RC
Fixed in Foswiki FoswikiRelease02x01x06
Remote guest user can register with a name that becomes the UserRegistration page. Registered users may be able to replace or
modify the User Registration page. A similar vulnerability exists for the DefaultWebStatistics page, which is included into
the WebStatistics reports.
If the System.UserRegistration page is overridden, it is possible that future registration submissions
could be intercepted or modified. If the user simply registered as "User Registration", then it will
be a denial of service, as the default Registration page will no longer be accessible.
If the System.DefaultWebStatistics page is overridden, it's possible to inject content into the WebStatistics
In Foswiki Wiki software 1.1.0 through 2.1.5, when the default User
Registration page is enabled, a remote attacker can register using the
"User" forename and the "Registration" surname, and consequently take
control over the User Registration page. This could potentially lead
to a phishing or other similar malicious action.
In Foswiki Wiki software 1.1.4 through 2.1.5, the System.DefaultWebStatistics
topic is subject to the same vulnerability.
Foswiki 1.0.x is not vulnerable.
Existing Foswiki content and/or user data is not exposed
- To the best of our knowledge, only sites that use the default Foswiki user manager are affected.
- Sites that do not support new user registration are not vulnerable.
- Sites that have a custom %USERSWEB%.UserRegistration that is protected from changes are not vulnerable.
- Sites that support user registrations that have not provided a custom %USERSWEB%.UserRegistration may be vulnerable.
For the WebStatistics topic vulnerability:
- The exposure starts with Foswiki 1.1.4. Older versions are not vulnerable.
- If you do not run statistics generation, or you do not support new user registration, you are not vulnerable
- Sites that have a custom %USERSWEB%.DefaultWebStatistics that is protected from changes are not vulnerable.
- Sites that run statistics generation that have not provided a custom %USERSWEB%.DefaultWebStatistics may be vulnerable.
Authors and Credits
This issue was detected internally by George Clark as part of routine testing.
Hotfix for Foswiki Production Release 1.1.0 - 2.1.5
If User Registration is active on your site, we recommend that administrators take the following actions immediately:
- If your site has a customized User Registration page:
- Examine the permissions of the Main.UserRegistration page and confirm that the ACLs restrict any changes by unauthorized users.
- If the page is not protected, examine the history and content to ensure there have been no undesirable changes.
- If your site does not have a custom User Registration page:
- Copy the System.DefaultUserRegistration to the Usersweb UserRegistration page. Typically Main.UserRegistration.
- Set the ACLs to prevent any unauthorized changes. Use the More topic actions -> Settings page, to set the ACL:
* Set ALLOWTOPICCHANGE = AdminGroup
If you run the Web Statistics tasks, we recommend that administrators take the following actions immediately:
- Follow the same steps as for UserRegistration.
- If Main.DefaultWebStatistics exists, make sure it's protected.
- If not, copy System.DefaultWebStatistics to Main.DefaultWebStatistics and ensure that it's protected.
By making this change, it prevents any user, or the user registration process from creating or changing the UserRegistration page, or the DefaultWebStatistics page.
Any sites using NatEditPlugin should also install the updated version that is available now. It contains some changes that will help ensure ACLs are preserved when topics are copied or edited.
We strongly recommend upgrading to FoswikiRelease02x01x06 as soon as it's available
. Foswiki 2.1.6 will have additional controls that prevents any changes of certain critical topics that are overridden using the Usersweb. We intend to release 2.1.6 on Friday 2 March 2018.
Creating and protecting the topics Main.UserRegistration and Main.DefaultWebStatistics is sufficient to protect you from the identified vulnerability. The following patches provide some additional protections but are not required:
If you are unable to upgrade to Foswiki 2.1.6, the following patches are available:
If your site is using NatEditPlugin, the 25 Feb 2018 release of this extension should also be installed. If not, we suggest discontinuing use of NatEdit by removing the "natedit" skin from the SKIN setting.
The patch files update the following files:
- Foswiki 2.x:
- Foswiki 1.1.x:
The patch files can be installed with the linux
utility, or can be applied manually.
Action Plan with Timeline