Robustness patch for TWiki, vulnerability in ImageGalleryPlugin
* TWiki robustness patch
After CAN-2004-1037 was discovered in November 2004, I wrote a patch
which systematically replaces unsafe subprocess invocation constructs
in the TWiki source code. This patch was published, submitted to the
TWiki developers, and they ported it into the DEVELOP branch:
<http://www.enyo.de/fw/security/notes/twiki-robustness.html>
(A TWiki release which incorporates the changes from the DEVELOP
branch is still pending.)
The TWiki robustness patch should fix all shell command injection
vulnerabilities, once and for all. It also attempts to prevent
directory traversal attacks, but I'm less confident that I have
plugged all potential holes. (However, I'm not aware of any directory
traversal vulnerabilities in TWiki, with or without this patch.)
Due to certain circumstances which I'm not at liberty to disclose at
this point, it is STRONGLY RECOMMENDED to apply the patch to any TWiki
installation which is accessible from untrusted networks. The patch
needs some changes to TWiki.cfg; please read the web page mentioned
above and the enclosed README file carefully.
* ImageGalleryPlugin security issue
ImageGalleryPlugin does not properly guard its configuration options
against unauthorized changes, in particular parts of the ImageMagick
commands used to generate thumbnails. As a result, it's possible for
anyone who is able to create or edit topics with image galleries to
execute arbitrary shell commands on the web server hosting the
affected TWiki installation.
A patch for this issue is available from the same URL as above:
<http://www.enyo.de/fw/security/notes/twiki-robustness.html>
The patch depends on the TWiki robustness patch. Some configuration
changes are required (as explained on the web page).
Vulnerability timeline (for the ImageGalleryPlugin issue):
2004-11-27 bug discovered and disclosed to the TWiki core developers
2004-11-29 sent patch to the TWiki core developers
2004-11-30 sent bug notice and patch to the plugin author
2004-12-26 sent reminder (and patch) to the TWiki security team
2005-02-17 sent second reminder, pending disclosure (no reply)
2005-02-23 uncoordinated public disclosure