---+ Security Alert: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
By abusing the SpreadSheetPlugin EVAL feature, it is possible to gain infromation about paths and files on the server.
---++ Severity Level
1
The severity level was assigned by the Foswiki Community.SecurityTaskTeam as documented in Development.SecurityAlertProcess
---++ Vulnerable Software Versions
---++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-33756 to this vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33756
---++ Attack Vectors
The EVAL feature of the plugin allows simple evaluation of formulas which
are passed to the perl eval function. While there is filtering in place, the
use of <, >, *, /, . and e allows to make statements such as the following:
<*>. This statement returns the filename of the first file in the current
directory. This basically is evaluating a perl file glob.
This can be combined with the path traversal sequence ../ to get the first
file in all directories from the installation folder up to the root folder.
Furthermore, the regexes in place substitute the string "ee" with a single
"e", which allows attackers to disclose the first file in a folder starting
with the letter "e". For example:
https://<target>/bin/view/System/SpreadSheetPlugin?formula=%24EVAL%28%24CHAR%2860%29../../../ee*/*+%24CHAR%2862%29%29
While the use of % also allows access to hashmaps, we were not able to
leverage it to access anything other than the current module name.
---++ Impact
An attacker can gain information about the server such as paths or files.
---++ Details
No prerequisites are necessary, as the demo page is
accessible without authentication.
---++ Countermeasures
* Apply [[/pub/Tasks/Item15192/Calc_pm.patch][hotfix]] to =Calc.pm=.
* Restrict unauthorized access to the System.SpreadSheetPlugin topic.
* Upgrade to the latest patched production Download.FoswikiRelease02x01x08.
---++ Authors and Credits
Abian Manuel Blome
Siemens Energy Global GmbH & Co. KG
Siemens Energy
Cybersecurity
Technologies
SE CYS A&R TEC
Otto-Hahn-Ring 6
81739 Munich, Germany
---++ Action Plan with Timeline
* 2023-05-17: email from Abian Manuel Blome
* 2023-05-17: first hotfix checked in to 2.1x and master branches
* 2023-05-17: filed a CVE-request
* 2023-05-17: updated hotfix multiple times
* 2023-05-17: applied hotfix to foswiki.org and blog.foswiki.org
* 2023-05-22: updated hotfix based on Abian's feedback
* 2023-05-23: reworked patch to trap any globbing within an =$EVLA()= expression
* 2023-05-31: CVE-2023-33756 was assigned
* 2023-08-06: fix released in Foswiki-2.1.8