You are here: Foswiki>Tasks Web>Item15192 (06 Aug 2023, MichaelDaum)Edit Attach

Item15192: SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server

Priority: Security
Current State: Closed
Released In: 2.1.8
Target Release: patch

Applies To: Extension
Component: SpreadSheetPlugin
Branches: Release02x01 master

Reported By: MichaelDaum
Waiting For:
Last Change By: MichaelDaum

Contact

Abian Manuel Blome

Siemens Energy Global GmbH & Co. KG
Siemens Energy
Cybersecurity
Technologies
SE CYS A&R TEC
Otto-Hahn-Ring 6
81739 Munich, Germany

Problem description

By abusing the SpreadSheetPlugin EVAL feature, it is possible to gain information about paths and files on the server.

How to reproduce

The EVAL feature of the plugin allows simple evaluation of formulas which are passed to the perl eval function. While there is filtering in place, the use of <, >, *, /, . and e allows to make statements such as the following: <*>. This statement returns the filename of the first file in the current directory. This basically is evaluating a perl file glob.

This can be combined with the path traversal sequence ../ to get the first file in all directories from the installation folder up to the root folder. Furthermore, the regexes in place substitute the string "ee" with a single "e", which allows attackers to disclose the first file in a folder starting with the letter "e". For example:

https://<target>/bin/view/System/SpreadSheetPlugin?formula=%24EVAL%28%24CHAR%2860%29../../../ee*/*+%24CHAR%2862%29%29

While the use of % also allows access to hashmaps, we were not able to leverage it to access anything other than the current module name.

Impact

An attacker can gain information about the server such as paths or files.

Prerequisites

No prerequisites are necessary, as the demo page is accessible without authentication.

Timeline

2023-05-17: email from Abian Manuel Blome
2023-05-17: first hotfix checked in to 2.1x and master branches
2023-05-17: filed a CVE-request
2023-05-17: updated hotfix multiple times
2023-05-17: applied hotfix to foswiki.org and blog.foswiki.org
2023-05-22: updated hotfix based on Abian's feedback
2023-05-23: reworked patch to trap any globbing within an $EVLA() expression
2023-05-31: CVE-2023-33756 approved

Hotfix

Calc_pm.patch

-- MichaelDaum - 17 May 2023

Besides this fix System.SpreadSheetPlugin will be view restricted to registered users only.

-- MichaelDaum - 17 May 2023

Abian keeps on testing the hotfix. Holidays in between.

-- MichaelDaum - 17 May 2023

New approach using Safe evaluation.

-- MichaelDaum - 23 May 2023

Waiting for the official CVE ID to be assigned.

-- MichaelDaum - 25 May 2023

More at Support.SecurityAlert-CVE-2023-33756

-- MichaelDaum - 31 May 2023

ItemTemplate edit

Summary	SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server
ReportedBy	MichaelDaum
Codebase
SVN Range
AppliesTo	Extension
Component	SpreadSheetPlugin
Priority	Security
CurrentState	Closed
WaitingFor
Checkins	distro:acf891bb0f08 distro:4c2c7de20cfa distro:11a264498d73 distro:c8c592a41a4a distro:9c6fb46d8958 distro:82cbc46592ce distro:7a1d42370cae distro:6759b465103f distro:b10349507110 distro:e3afa2c31ccc distro:aa5fe1d19c0c distro:7300b56c505e distro:a0bc7a109903 distro:343501af95f3 distro:0714f195dd28 distro:ea288935735d
TargetRelease	patch
ReleasedIn	2.1.8
CheckinsOnBranches	Release02x01 master
trunkCheckins
masterCheckins	distro:4c2c7de20cfa distro:c8c592a41a4a distro:82cbc46592ce distro:6759b465103f distro:e3afa2c31ccc distro:7300b56c505e distro:343501af95f3 distro:ea288935735d
ItemBranchCheckins
Release02x01Checkins	distro:acf891bb0f08 distro:11a264498d73 distro:9c6fb46d8958 distro:7a1d42370cae distro:b10349507110 distro:aa5fe1d19c0c distro:a0bc7a109903 distro:0714f195dd28
Release02x00Checkins
Release01x01Checkins