 |
|
You are here: Foswiki>Support Web>SecurityAlert-CVE-2010-4215 (10 Jan 2013, GeorgeClark)Edit Attach
plain text
Security Alert: A normal user can alter topic preferences using the "Edit topic preference settings" feature and save them even though he has no privileges to edit the topic
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists Severity Level
Severity 2 issue: The Foswiki installation is compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessMITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-4215 to this vulnerability.Vulnerable Software Versions
Fixed in Foswiki 1.1.2Attack Vectors
The most serious explot is elevation to administrator and involves these easy steps.- Register as a normal user on the Foswiki
- Navigate to Main.AdminGroup
- Edit the topic preferences adding yourself to the ALLOWTOPICCHANGE and GROUP preferences
- You are now member of the administrator group
Impact
Administrators can view and edit any page on the Foswiki installation.Countermeasures
- Apply hotfix (see patch below).
- Upgrade to the latest patched production FoswikiRelease01x01x02.
Authors and Credits
Hotfix for Foswiki Production Release 1.1.0-1.1.1
This is the patch that fixes the issue
Modified: branches/Release01x01/core/lib/Foswiki/UI/Manage.pm
===================================================================
--- branches/Release01x01/core/lib/Foswiki/UI/Manage.pm 2010-11-09 18:43:46 UTC (rev 9919)
+++ branches/Release01x01/core/lib/Foswiki/UI/Manage.pm 2010-11-09 18:45:06 UTC (rev 9920)
@@ -440,6 +440,8 @@
my $settings = $query->param('text');
my $originalrev = $query->param('originalrev');
+ Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
+
$newTopicObject->remove('PREFERENCE'); # delete previous settings
# Note: $Foswiki::regex{setVarRegex} cannot be used as it requires
# use in code that parses multiline settings line by line.
@@ -464,8 +466,6 @@
}
}
- Foswiki::UI::checkAccess( $session, 'CHANGE', $newTopicObject );
-
try {
$newTopicObject->save( minor => 1, forcenewrevision => 1 );
}
The easiest way to apply this patch is to download the attached already patched source file.
Simply download and replace lib/Foswiki/UI/Manage.pm with Patched Manage.pm
Action Plan with Timeline
- 2010-11-09 - User discloses issue in support question. (Enrik Guenter)
- 2010-11-09 - Support question is blocked for public view within a few hours (George Clark)
- 2010-11-09 - Developer verifies issue (George Clark)
- 2010-11-09 - Developer fixes code (Crawford Currie)
- 2010-11-09 - Security team triage the issue (Kenneth Lavrsen)
- 2010-11-09 - Security team creates advisory with hotfix (Kenneth Lavrsen)
- 2010-11-10 - Release Manager builds patch release (Kenneth Lavrsen)
- 2010-11-10 - Send alert to foswiki-announce and foswiki-discuss mailing lists (Kenneth Lavrsen)
- 2010-11-12 - Publish advisory in Support web and update all related topics (Kenneth Lavrsen)
- 2010-11-12 - Reference to public advisory on Download page and Known Issues (Kenneth Lavrsen)
- 2010-11-12 - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) (Kenneth Lavrsen)
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 pm |
Manage.pm | manage | 16 K | 10 Nov 2010 - 22:53 | KennethLavrsen |
Edit | Attach | Print version | History: r11 < r10 < r9 < r8 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r11 - 10 Jan 2013, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy