Item15163: Local file inclusion vulnerability in viewfile

The filename parameter isn't validated sufficiently and may be used to read any file on the server.

A proof of concept isn't included here for security reasons.

Affected Component

• Foswiki::Sandbox
• Foswiki::UI::Viewfile

Basically any component using Foswiki::Sandbox::validateAttachmentName will be affected, not only viewfile. Yet viewfile is the most obvious vector.

Affected Foswiki versions

all

Timeline

• 2022-08-05: Michael Daum was contacted by Steffen Weinreich <[email protected]>
• 2022-08-05: The POC was confirmed and the bug was analysed
• 2022-08-05: a preliminary patch was applied to foswiki.org and blog.foswiki.org to secure the system
• 2022-08-05: hotfix made available, security ML was informed
• 2022-08-06: updated hotfix

Hotfix (updated)

diff --git a/lib/Foswiki/Sandbox.pm b/lib/Foswiki/Sandbox.pm
index dd67911..672d4dd 100644
--- a/lib/Foswiki/Sandbox.pm
+++ b/lib/Foswiki/Sandbox.pm
@@ -199,6 +199,10 @@ sub validateAttachmentName {
     my @result;
     foreach my $component (@dirs) {
         return unless defined($component) && $component ne '';
+
+       # Filter nasty characters
+       $component =~ s/$Foswiki::cfg{AttachmentNameFilter}//g;
+
         next if $component eq '.';
         if ( $component eq '..' ) {
             if ( scalar(@result) ) {
@@ -214,9 +218,6 @@ sub validateAttachmentName {
             }
         }
         else {
-
-            # Filter nasty characters
-            $component =~ s/$Foswiki::cfg{AttachmentNameFilter}//g;
             push( @result, $component );
         }
     }
@@ -236,16 +237,16 @@ sub _cleanUpFilePath {
         next unless ( defined($component) && $component ne '' || $first );
         $first = 0;
         $component = '' unless defined $component;
-        next if $component eq '.';
-        if ( $component eq '..' ) {
-            throw Error::Simple( 'relative path in filename ' . $string );
-        }
-        elsif ( $component =~ m/$Foswiki::cfg{AttachmentNameFilter}/ ) {
+        if ( $component =~ m/$Foswiki::cfg{AttachmentNameFilter}/ ) {
             throw Error::Simple( 'illegal characters in file name component "'
                   . $component
                   . '" of filename '
                   . $string );
         }
+        next if $component eq '.';
+        if ( $component eq '..' ) {
+            throw Error::Simple( 'relative path in filename ' . $string );
+        }
         push( @result, $component );
     }

diff --git a/lib/Foswiki/UI/Viewfile.pm b/lib/Foswiki/UI/Viewfile.pm
index ebf2cee..825e710 100644
--- a/lib/Foswiki/UI/Viewfile.pm
+++ b/lib/Foswiki/UI/Viewfile.pm
@@ -153,6 +153,17 @@ sub viewfile {
     $fileName = Foswiki::Sandbox::untaint( $fileName,
         \&Foswiki::Sandbox::validateAttachmentName );

+    if ( !$fileName ) {
+        throw Foswiki::OopsException(
+            'attention',
+            def    => 'no_such_attachment',
+            web    => $web,
+            topic  => $topic,
+            status => 404,
+            params => ['?']
+        );
+    }
+
     #print STDERR "VIEWFILE: web($web), topic($topic), file($fileName)\n";

     my $rev = Foswiki::Store::cleanUpRevID( scalar( $query->param('rev') ) );

-- MichaelDaum - 05 Aug 2022

More at Support.SecurityAlert-CVE-2023-24698

-- MichaelDaum - 08 Mar 2023

Commenting is disabled while not logged in