Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

         ESB-2005.0749 -- TWiki INCLUDE function allows arbitrary
                          shell command execution
                             29 September 2005


        AusCERT Security Bulletin Summary

Product:           TWiki
Publisher:         UNIRAS
Operating System:  UNIX variants
                   Mac OS
Impact:            Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-3056

Original Bulletin: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude

- --------------------------BEGIN INCLUDED TEXT--------------------

TWiki - TWiki INCLUDE function allows arbitrary shell command execution


UNIRAS COMMENT - Please note that the patches discussed in this advisory are not 
attached to this briefing, but are available from the first URL below.

This advisory alerts you of a potential security issue with your 
TWiki installation: The TWiki INCLUDE function allows arbitrary 
shell command execution. The permanent place for this advisory is
where you can see updates and follow-ups.

If you do not use TWiki, please ignore this e-mail. If you don't 
administer your TWiki site, or started a site now administered by 
someone else, please pass it to the current TWiki site administrator.

Please see also unrelated security audit on visible lib directories,

Table of Contents:

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Authors and Credits
   * Hotfix
      * Patch for TWiki Production Release 03-Sep-2004
      * Patch for TWiki Production Release 02-Sep-2004
      * Patch for TWiki Production Release 01-Feb-2003
   * TWiki News

- - ---++ Vulnerable Software Version

   * TWikiRelease03Sep2004[2] -- TWiki20040903.zip
   * TWikiRelease02Sep2004[3] -- TWiki20040902.zip
   * TWikiRelease01Sep2004[4] -- TWiki20040901.zip
   * TWikiRelease01Feb2003[5] -- TWiki20030201.zip

Not affected are:
   * Recent DakarReleases[6] (upcoming production release, soon)
   * TWikiRelease01Sep2004 patched with Florian Weimer's 

- - ---++ Attack Vectors

Editing wiki pages and HTTP GET requests towards the Wiki server 
(typically port 80/TCP). Typically, prior authentication is 
necessary (including anonymous TWikiGuest accounts).

- - ---++ Impact

An attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.

- - ---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the 
name CAN-2005-3056 to this vulnerability. 

- - ---++ Details

The TWiki INCLUDE function enables a malicious user to compose a 
command line executed by the Perl backtick (``) operator.

The rev parameter of the INCLUDE variable is not checked properly 
for shell metacharacters and is thus vulnerable to revision 
numbers containing pipes and shell commands. The exploit is 
possible on included topics with two or more revisions.

Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%

The same vulnerability is exposed to all Plugins and add-ons that 
use TWiki::Func::readTopicText[8] function to read a previous topic 
revision. This has been tested on TWiki:Plugins.RevCommentPlugin[9] 
and TWiki:Plugins.CompareRevisionsAddon[10].

If access to TWiki is not restricted by other means, attackers can
use the revision function with or without prior authentication,
depending on the configuration.

See Also:
   * IncludePreviousTopicRevision[11]
   * SecurityAlertExecuteCommandsWithRev[12]
   * SecurityAlertExecuteCommandsWithSearch[13]
   * UncoordinatedSecurityAlert23Feb2005[7]

- - ---++ Countermeasures

   * Apply hotfix (see patches below)
      * NOTE: The hotfix is known to prevent the current attacks,  
        but it might not be a complete fix
   * Upgrade to the latest patched production TWikiRelease04Sep2004[1]
      * NOTE: If you are running an *unmodified* 
        TWikiRelease01Sep2004[4], TWikiRelease02Sep2004[3] or
        TWikiRelease03Sep2004[2], simply copy the following patched
        files from TWikiRelease04Sep2004 to your installation:
        lib/TWiki.pm, lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm,
        lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm
   * Apply patch of UncoordinatedSecurityAlert23Feb2005[7] (but see
     known issues of that patch)
   * Filter access to the web server
   * Use the web server software to restrict access to the web pages
     served by TWiki

- - ---++ Authors and Credits

   * Credit to TWiki:Main.JChristophFuchs (jcf@ipp.mpg.de) and 
     TWiki:Main.JoseLuna (luna@aditel.org) for disclosing the issue
     to the twiki-security@lists.sourceforge.net mailing list
   * TWiki:Main.JoseLuna for contributing a more robust patch to
     recent SecurityAlertExecuteCommandsWithRev[12] issue (included
     in this patch)
   * TWiki:Main.PeterThoeny, TWiki:Main.JoseLuna, 
     TWiki:Main.CrawfordCurrie for contributing to the advisory and
     the patch

- - ---++ Hotfix

- - ---+++ Patch for TWiki Production Release 03-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm,
lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm,

See attached patch file TWiki200409-03-04patch.txt

- - ---+++ Patch for TWiki Production Release 02-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm,
lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm,

See attached patch file TWiki200409-02-04patch.txt

- - ---+++ Patch for TWiki Production Release 01-Feb-2003

__Note:__ This assumes that the release is already patched with 
SecurityAlertExecuteCommandsWithRev[12] fix.

Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff,
twiki/bin/view, twiki/bin/viewfil=

See attached patch file TWiki200302-01-04patch.txt

- - ---++ TWiki News

   * A new TWiki release is upcoming soon, code named DakarRelease[6]
   * To customize your TWiki installation, TWiki.org offers now
     177 Plugin packages[14], 56 Add-on packages[15], 30 Skin 
     packages[16], and 11 TWiki contrib packages [17]
   * Codev.TWikiSecurityAlertProcess[18] documents our security
   * Wikis and TWiki get covered more my the press[19]
   * TWiki is represented at the International Symposium on Wikis[20]
     in San Diego, 17-18 Oct 2005
   * A new book on Wikis in the Workplace is in work[21]

Best regards,

[1]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease04Sep2004
[2]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease03Sep2004
[3]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease02Sep2004
[4]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
[5]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[6]:  http://twiki.org/cgi-bin/view/Codev/DakarReleases
[7]:  http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005
[8]:  http://twiki.org/cgi-bin/view/TWiki/TWikiFuncModule
[9]:  http://twiki.org/cgi-bin/view/Plugins/RevCommentPlugin
[10]: http://twiki.org/cgi-bin/view/Plugins/CompareRevisionsAddon
[11]: http://twiki.org/cgi-bin/view/Codev/IncludePreviousTopicRevision
[12]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
[13]: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
[14]: http://twiki.org/cgi-bin/view/Plugins/PluginPackage
[15]: http://twiki.org/cgi-bin/view/Plugins/AddOnPackage
[16]: http://twiki.org/cgi-bin/view/Plugins/SkinPackage
[17]: http://twiki.org/cgi-bin/view/Plugins/ContribPackage
[18]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[19]: http://twiki.org/cgi-bin/view/Codev/TWikiInTheNews
[20]: http://twiki.org/cgi-bin/view/Codev/InternationalSymposiumOnWikis
[21]: http://twiki.org/cgi-bin/view/Codev/WikisInTheWorkplaceBook

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967