 |
|
You are here: Foswiki>Support Web>KnownIssuesOfFoswiki01x01>SecurityAlerts>SecurityAlert-CVE-2023-24698 (06 Aug 2023, MichaelDaum)Edit Attach
plain text
Security Alert: Local file inclusion vulnerability in viewfile
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists Severity Level
Severity 1 issue: The web server can be compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessMITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-24698 to this vulnerability.Vulnerable Software Versions
- Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1, Foswiki 2.1.4, Foswiki 2.1.4-RC1, Foswiki 2.1.4-RC2, Foswiki 2.1.4-RC3, Foswiki 2.1.5, Foswiki 2.1.5-RC, Foswiki 2.1.6, Foswiki 2.1.7
Attack Vectors
A proof of concept isn't included here for security reasons. The attack can be scripted usingcurl.
The POC submitted by Steffen Weinreich allowed to read /etc/passwd but basically
any file could be accessed such as lib/LocalSite.cfg containing sensitive information like passwords and configiration details.
Impact
Any file accessible by the user running the foswiki services (e.g.www-data) can be accessed using a specially crafted
http request to the viewfile endpoint.
Details
Thefilename parameter isn't validated sufficiently in Foswiki::Sandbox
Basically any component using Foswiki::Sandbox::validateAttachmentName will be affected, not only viewfile. Yet viewfile is the most obvious vector.
Countermeasures
- Apply hotfix in Tasks.Item15163
- Upgrade to the latest patched production FoswikiRelease02x01x08.
Authors and Credits
- Steffen Weinreich <[email protected]>
Action Plan with Timeline
- 2022-08-05: Michael Daum was contacted by Steffen Weinreich <[email protected]>
- 2022-08-05: The POC was confirmed and the bug was analysed
- 2022-08-05: a preliminary patch was applied to foswiki.org and blog.foswiki.org to secure the system
- 2022-08-05: hotfix made available, security ML was informed
- 2022-08-06: updated hotfix
- 2022-10-22: CVE Request 1349733 for CVE ID Request ... first attempt
- 2023-01-26: CVE Request 1397709 for CVE ID Request ... second attempt
- 2023-03-08: CVE-2023-24698 approved
- 2023-08-06: fix released in Foswiki-2.1.8
Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r3 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy