Security Alert CVE-2009-1434: Foswiki Page View Cross-Site Request Forgery (CSRF)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security Alert CVE-2009-1434: Foswiki Page View Cross-Site Request Forgery (CSRF)

Kenneth Lavrsen
Security Alert: Foswiki Page View Cross-Site Request Forgery (CSRF)

To all Foswiki Administrators

This advisory alerts you of a potential Cross-Site Request Forgery
security issue with your Foswiki installation via HTTP GET requests,
thereby allowing an attack to occur by simply viewing a web page that
takes advantage of the exploit. This web page can be served by any web
site, including the one hosting the Foswiki installation.

Please DO NOT PUBLICLY ANNOUNCE until 29 Apr 2009, but feel free to
forward this message to Foswiki administrators in your personal network.

We will issue a public advisory on Wed, 29 Apr 2009


---++ VULNERABLE SOFTWARE VERSIONS

   * version 1.0.0
   * version 1.0.1 (1.0.4 release candidate 1 - never officially released)
   * version 1.0.2 (1.0.4 release candidate 2 - never officially released)
   * version 1.0.3 (1.0.4 release candidate 3 - never officially released)
   * version 1.0.4

Foswiki versions 1.0.5 and higher are not vulnerable.


---++ ATTACK VECTORS

Prior to version 1.0.5, Foswiki allows HTTP GET requests to modify
pages, allowing for Cross-Site Request Forgery attacks to occur by
simply viewing a malicious page that uses this exploit. As with all
cross-site request forgery attacks, the user viewing the malicious page
must be already logged into the Foswiki installation in order for the
attack to succeed. The Foswiki installation itself can be used to host
the attack code, which increases the chance that the potential victim is
already logged in.

Any HTML tag that triggers a browser to automatically access an URL can
be crafted and added to a malicious page that will update a Foswiki web
site with the content specified in the URL, using the identity of the
user viewing the page. Examples of HTML tags that can be used for this
exploit include <img>, <script>, <iframe>, and <obj> tags. An <a>
element can also be used, though the user must follow the link in order
for the attack to occur.


---++ IMPACT

Using this vulnerability, an exploit can perform any operation while
assuming the identity of the victim. This includes changing access
permissions to Foswiki pages, or modifying the definition of access
groups, including the Foswiki AdminGroup. Lower-privileged Foswiki users
can insert the attack into a commonly visited page and thus elevate
their access to that of the users visiting the page. The attack is
transparent to victims (the victim's browser may display indications
that it is accessing the network for an unexpected period of time).


---++ SEVERITY LEVEL

Severity 2 issue - The Foswiki installation is compromised

The severity level was assigned by the Foswiki Security Task Team as
documented in SecurityAlertProcess.


---++ MITRE NAME FOR THIS VULNERABILITY

The Common Vulnerabilities and Exposures project has assigned the name
CVE-2009-1434 to this vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1434


---++ DETAILS

The exploit takes advantage of Foswiki allowing data to be
saved/modified by a browser sending an HTTP GET request, which includes
accesses via an <img>, <script>, <iframe>, <obj>, or <a> element.


---+++ EXAMPLES

Edit a topic using an image tag
<img src="/bin/save/Sandbox/TestTopic?text=Evil text" alt="" />


Edit user configuration using an image tag:
<img
src="/bin/save/%USERSWEB%/%WIKINAME%?text=3y3%2520have%2520been%25200wn3d%2520by%2520ashcrow%250A%250a---%252B%252B%2520Related%2520Topics%250A%250A%2520%2520%2520%252A%2520Set%2520ALLOWTOPICCHANGE%2520=%2520%USERSWEB%.%WIKINAME%%252C%2520%USERSWEB%.WikiUsers"
alt="" />


Modify table cell
Note that the =view= operation can be attacked as well, as some
extensions save data when =view= operations are performed. For example,
!EditTablePlugin can be exploited to alter the contents of a table cell:
<img
src="/bin/viewauth/Myweb/TopicWithEditTable?ettablenr=1;etcell2x2=New_value;etrows=5;etsave=Save%20table"
alt="" />


Edit a topic using a hypertext link

Simple HTML anchor tags can be used to save data. Unless users inspect a
target URL before following the link, they will not be aware that data
will be modified by following the link, using their identity.
<a
href="http://some.foswiki.site/bin/save/Myweb/TargetTopic?text=TheTextWeWantSaved">Innocent
looking text</a>


---++ RESOLUTION IN 1.0.5

To prevent Foswiki sites from being vulnerable to silent attacks using
image tags or other tags that cause the browser to initiate HTTP GET
requests, and attacks by following hypertext links, the Foswiki team has
restricted the ability to save data to HTTP POST requests. The Foswiki
core and all extensions that are bundled with the basic Foswiki
distribution have been altered so that no data can be saved unless the
change is submitted using an HTTP POST request (typically via an HTTP form).

This affects any Foswiki applications that depended on using the GET
method to modify data. Examples of applications that may need to be
modified include the following:

   * If you have implemented an application that creates new topics or
changes existing topics using an HTML form, you must explicitly specify
=method="post"= in the attributes for the form. Note the default value
for the method attribute is =get=, so if no method attribute is
specified, then the form will be unable to modify data.

   * If you have implemented an application that generates links to the
Foswiki =save= or =view= scripts, you will need to alter this
application to instead display HTML forms with a submit button.


---++ COUNTERMEASURES

To protect your Foswiki installation, upgrade to the latest production
release 1.0.5 or later.
http://foswiki.org/Download/FoswikiRelease01x00x05

Releaes 1.0.5 is available as an upgrade package that can be applied to
a Foswiki installation running any version from 1.0.0 to 1.0.4.


---++ AUTHORS AND CREDITS

   * Steve 'Ashcrow' Milner and Richard Monk of Red Hat Infosec Team for
disclosing the issue
   * Main.CrawfordCurrie and Main.KennethLavrsen for contributing to the
fix, the 1.0.5 release and advisory
   * Members of the Foswiki security team for discussions and ideas, for
testing the 1.0.5 beta, and for editing this security advice


---++ ACTION PLAN WITH TIMELINE

   * 2009-04-15 - User discloses issue to foswiki security mailing list
(Steve 'Ashcrow' Milner (Red Hat))
   * 2009-04-16 - Developer verifies issue (Crawford Currie)
   * 2009-04-16 - Security team triage the issue (Kenneth Lavrsen)
   * 2009-04-16 - Developer fixes code (Crawford Currie and Kenneth Lavrsen)
   * 2009-04-26 - Security team creates advisory with hotfix (Kenneth
Lavrsen)
   * 2009-04-25 - Release Manager builds patch release (Kenneth Lavrsen)
   * 2009-04-27 - Send alert to foswiki-announce and foswiki-discuss
mailing lists (Kenneth Lavrsen)
   * 2009-04-29 - Publish advisory in Support web and update all related
topics (Kenneth Lavrsen)
   * 2009-04-29 - Reference to public advisory on Download page and
Known Issues (Kenneth Lavrsen)
   * 2009-04-29 - Issue a public security advisory (![hidden email],
![hidden email], ![hidden email],
![hidden email], ![hidden email]) (Kenneth
Lavrsen)


---++ References

   [1] http://foswiki.org/Download/FoswikiRelease01x00x05 (released
2009-04-25)
   [2] http://foswiki.org/Development/SecurityAlert-CVE-2009-1434
(available 2009-04-29)
   [3] http://en.wikipedia.org/wiki/Cross-site_request_forgery
   [4] http://foswiki.org/Community/SecurityTaskTeam
   [5] http://foswiki.org/Development/SecurityAlertProcess
   [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1434
   
-- Kenneth Lavrsen - 2009-04-27


------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss