Quantcast

Twiki Security Alerts

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Twiki Security Alerts

Michael Lorenzen
Hi all,

Peter Thoeny released two security alerts for twiki today:
http://seclists.org/fulldisclosure/2014/Oct/44
http://seclists.org/fulldisclosure/2014/Oct/45

Does this affect foswiki also?

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Twiki Security Alerts

George Clark-2
Hi Michael,

We sent an alert to Foswiki-announce, but not the discussion list.

The vulnerability with debugenableplugins is not exposed on Foswiki.  Foswiki is not vulnerable.

The .htaccess file issue DOES apply to Foswiki.  It only applies to Foswiki servers running on Windows, and with their apache server configured to use .htaccess files.    The solution is a simple regex change to the UploadFilter setting.  We do not intend to release a software patch or new release to address this issue.   Here is an updated version of what we sent to Foswiki-announce on Tuesday.

The root cause is that the Windows file system silently modifies the file name, removing a trailing "dot" suffix.  So even though Foswiki filters to block uploads of ".htaccess" (exact match), Windows will save ".htaccess."  as ".htaccess".

George Clark

-------------

Today TWiki announced two vulnerabilities with corresponding CVE numbers.   Fowsiki is not vulnerable to the first, and has limited vulnerability to the 2nd CVE.

Security Alert CVE-2014-7236: Remote Perl code execution with query string

Foswiki is not vulnerable to this attack vector.  No action is required.

Security Alert CVE-2014-7237: Apache configuration file upload on TWiki on Windows server

Foswiki has limited vulnerability to this attack vector. Systems are only vulnerable when the following conditions exist:

  • Foswiki is running on a Windows + Apache web server (Linux based installations are not vulnerable)
  • AND the Apache server has been configured to allow .htaccess files in the directories below the pub/ directory (not recommended)
Sites using an Apache configuration file generated by the ApacheConfigGenerator, or the provided example Apache configuration file "foswiki_httpd_conf.txt" are not vulnerable unless the configuration has been edited locally.

If you believe your installation may be vulnerable then the strongly recommended course of action is to reconfigure Apache to disable the use of .htaccess files in the Foswiki pub directory.

If this is not possible for some reason (for example, you are running on a hosted system and don't have access to the Apache configuration), then the following change can be applied in LocalSite.cfg:In the Foswiki /bin/configure interface. 
  • "Security and Authentication" Section,
    • "Environment" Tab,   
      Reveal the "Expert" settings and change the  {UploadFilter} setting,   adding a ?  after the cgi).  
  • cgi))  changes to  cgi)?)

If editing LocalSite.cfg manually,  the line changes as follows:  

Before:
   $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';
After:
   $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi)?)$';

The result of this change:   Any file ending in a trailing dot (.) will have the name changed.    "somefile."  will become " somefile..txt"   This change is recommended because some file systems will silently discard a trailing dot in the filename, which then impacts other filename checks.  (The only system that we are aware of with this exposure is Windows.)

For Sites using .htaccess based configuration:

First,  be really sure that your site requires use of .htaccess configuration.   If you can configure foswiki using apache configuration files, that is the recommended approach.  It has lower overhead and is more secure.     If you do not require .htaccess, be sure that "AllowOverride none" is specified for every directory in your foswiki Apache configuration.

If .htaccess files are required,  or if you found AllowOverride set to other than "none",  Administrators of Windows based Apache servers especially should:
  • Review Apache configuration files for possible misconfiguration:
    • The /pub directory should specify AllowOverride None
    • Look for any instances of the AccessFileName directive. If .htaccess has been changed to some other name, the UploadFilter must be changed to match that name.
  • Find and remove any .htaccess files from directories below the /pub directory.
    • If any files are found, review the content of any other attachments that may have been made executable by that file.

On 10/09/2014 02:39 PM, Michael Lorenzen wrote:
Hi all,

Peter Thoeny released two security alerts for twiki today:
http://seclists.org/fulldisclosure/2014/Oct/44
http://seclists.org/fulldisclosure/2014/Oct/45

Does this affect foswiki also?

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Loading...