---+ Security Alert: Windows Apache server configured using =.htaccess= files can be compromised.
Foswiki recommends use of Apache configuration files for configuring the server whenever possible. The example files included with Foswiki, and any configurations generated by the ApacheConfigGenerator all specify =AllowOverride None= for the =/pub= directory. If these examples are not used, or the server requires use of =.htaccess= files due to other site requirements, then *Windows hosted* Apache servers could be vulnerable.
Note: This alert is different from the TWiki version. Foswiki recommends that this issue be corrected solely with a configuration change. Software patching is not required. On most platforms there is no need to restrict files named with a trailing dot.
*Foswiki has limited vulnerability to this attack vector.* Systems are only vulnerable when the following conditions exist:
* Foswiki is running on a Windows + Apache web server *(Linux based installations are not vulnerable)*
* AND the Apache server has been configured to enable =.htaccess= file processing in the =pub/= directory *(not recommended)*
---++ Severity Level
1
The severity level was assigned by the Foswiki Community.SecurityTaskTeam as documented in Development.SecurityAlertProcess
---++ Vulnerable Software Versions
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7237 to this vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7237
---++ Attack Vectors
Use an HTTP POST request towards a Foswiki on Windows server to upload a specially named file (typically port 80/TCP). Prior authentication is typically required.
---++ Impact
A remote attacker can upload a '.htaccess' file that may make uploaded files executable on the server.
---++ Details
=.htaccess= files allow server options and access rules to be overridden "in-directory". Any setting of ="AllowOverride"= other than ="None"= in the Apache configuration will cause Apache to look for and apply overrides from =.htaccess= files located in the directory of the file that it is about to process. If there is any path for a remote user to upload an =.htaccess= file, then the server is potentially subject to compromise.
Foswiki provides a default ={UploadFilter}= that blocks attempts to upload the =.htaccess= file. The vulnerability occurs because the Windows file system will strip any file of the "trailing dot" when the file is written to disk.
* Attacker creates a =.htaccess= file that enables execution of a particular file
* Attacker uploads the file as =.htaccess.= (note trailing dot)
* Foswiki =UploadFilter= fails to block the file, due to the trailing dot.
* Foswiki saves file to disk, Windows writes the file named =.htaccess= stripping the trailing dot
* Attacker then uploads a file which can then be executed due to the rules override.
---++ Countermeasures
*No action is necessary on non-Windows server platforms*
* Update the Foswiki ={UploadFilter}= configuration to block files with a trailing dot. (Note the added ? following the =|cgi)= )
"Security and Authentication" Section,
* "Environment" Tab,
Reveal the "Expert" settings and change the {UploadFilter} setting, adding a ? after the cgi).
If configure is not convenient, it is also possible to update the =lib\LocalSite.cfg= file directly.
Before:
$Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';
After:
$Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi)?)$';
After this change is applied, the file =.htaccess.= will be renamed to =.htaccess..txt= during upload, and would be ignored by Apache.
---++ Other recommendations
* Review Apache configuration files for possible misconfiguration:
* The =/pub= directory should specify =AllowOverride None=
* Look for _any_ instances of the =AccessFileName= directive. If .htaccess has been changed to some other name, the =UploadFilter= must be changed to match that name.
* Find and remove any =.htaccess= files from directories below the /pub directory.
* If any files are found, review the content of any other attachments that may have been made executable by that file.
---++ Authors and Credits
* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue with detailed description to the [[mailto:[email protected]][[email protected]]] mailing list
* PeterThoeny for notifying the Foswiki project.
---++ Action Plan with Timeline
* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
* 2014-10-07 - Peter Thoeny notifies Foswiki project and sends private alert to TWiki community.
* 2014-10-07 - GeorgeClark verifies issue.
* 2014-10-07 - GeorgeClark sends preliminary alert to Foswiki-announce list with recommended configuration changes.
* 2014-10-08 - GeorgeClark, CrawfordCurrie, MichaelDaum, JanKrueger review issue, agree that a code fix is not required. A simple configuration change is sufficient.
* 2014-10-08 - Security team creates advisory with hotfix
* TBD - Release Manager builds patch release (name)
* TBD - Send alert to foswiki-announce and foswiki-discuss mailing lists (name)
* TBD - Publish advisory in Support web and update all related topics (name)
* TBD - Reference to public advisory on Download page and Known Issues (name)
* TBD - Issue a public security advisory ([email protected], [email protected], [email protected] [email protected] [email protected]) (name)
* #Set ALLOWTOPICVIEW = Main.SecurityGroup
* Set ALLOWTOPICCHANGE = Main.SecurityGroup