SecurityAlert-CVE-2023-24698 < Support

---+ Security Alert: Local file inclusion vulnerability in viewfile The filename parameter isn't validated sufficiently and may be used to read any file on the server. ---++ Severity Level 1 The severity level was assigned by the Foswiki Community.SecurityTaskTeam as documented in Development.SecurityAlertProcess ---++ Vulnerable Software Versions ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-24698 to this vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24698 ---++ Attack Vectors A proof of concept isn't included here for security reasons. The attack can be scripted using =curl=. The POC submitted by Steffen Weinreich allowed to read =/etc/passwd= but basically any file could be accessed such as =lib/LocalSite.cfg= containing sensitive information like passwords and configiration details. ---++ Impact Any file accessible by the user running the foswiki services (e.g. =www-data=) can be accessed using a specially crafted http request to the viewfile endpoint. ---++ Details The =filename= parameter isn't validated sufficiently in =Foswiki::Sandbox= Basically any component using Foswiki::Sandbox::validateAttachmentName will be affected, not only viewfile. Yet viewfile is the most obvious vector. ---++ Countermeasures * Apply hotfix in [[Tasks.Item15163]] * Upgrade to the latest patched production Download.FoswikiRelease02x01x08. ---++ Authors and Credits * Steffen Weinreich ---++ Action Plan with Timeline * 2022-08-05: Michael Daum was contacted by Steffen Weinreich * 2022-08-05: The POC was confirmed and the bug was analysed * 2022-08-05: a preliminary patch was applied to foswiki.org and blog.foswiki.org to secure the system * 2022-08-05: hotfix made available, security ML was informed * 2022-08-06: updated hotfix * 2022-10-22: CVE Request 1349733 for CVE ID Request ... first attempt * 2023-01-26: CVE Request 1397709 for CVE ID Request ... second attempt * 2023-03-08: CVE-2023-24698 approved * 2023-08-06: fix released in Foswiki-2.1.8