—+ Security Alert: Code injection vulnerability in MAKETEXT macro
This advisory alerts you of a potential security issue with your Foswiki
installation. A vulnerability has been reported against the core Perl
module CPAN:Locale::Maketext [1], which Foswiki uses to provide
translations when {UserInterfaceInternationalization} is enabled in the
configuration. Because of this vulnerability it may be possible for a
user to invoke arbitrary perl modules on the server through a crafted
macro.
The original fix for this issue reported in
[[SecurityAlert-CVE-2012-6329]] [2] failed to eliminate one possible
attack vector. This CVE applies an additional fix for the original issue.
The system is not vulnerable if ={UserInerfaceInternationalization}=
is not enabled in your configuration, or if =Locale::Maketext= has been
upgraded to version 1.23 as advised in [[SecurityAlert-CVE-2012-6329]] [2].
—++ Severity Level
Severity 1 issue: The web server can be compromised.
The severity level was assigned by the Foswiki
Community.SecurityTaskTeam [3] as documented in
Development.SecurityAlertProcess [4]
—++ Vulnerable Software Versions
All releases of Foswiki.
—++ MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2013-1666 [5] to this vulnerability.
—++ Attack Vectors
Editing wiki pages and HTTP POST requests towards a Foswiki server with
enabled localization (typically port 80/TCP). Typically, prior
authentication is necessary. If your wiki allows commenting by users
without first logging in, then it may be possible for such an anonymous
user to exploit this vulnerability.
The original report ( [[SecurityAlert-CVE-2012-6329]] [2]) against
Locale::Maketext also identified another vector, where a module name can
be passed in to Locale::Maketext through the bracket notation. At the
time we determined that Foswiki was not vulnerable to this vector, as
Foswiki does not permit that syntax to be used. This was incorrect.
It is possible to pass bypass the checks by double-escaping the brackets.
—++ Impact
Arbitrary code execution on the server as the webserver user.
—++ Details
A crafted %MAKETEXT{}% macro can cause multiple issues: This CVE
addresses an additional vector:
—++ Countermeasures
Apply one of these countermeasures:
In addition to the above, Locale::Maketext should be upgraded to version
1.23.
You can verify that the patches are successful by using the following
two lines in a test topic:
Note: If the 2nd line displays =~[quant,4,singular,plural~]= (shows the
~ character) then your system is not patched, but is not vulnerable
because Internationalization is disabled.
—++ Authors and Credits
—++ Hotfix for Foswiki Production Release 1.1.0-1.1.7
The line numbers may vary between releases, but the two regular
expressions should be changed as shown below:
=================( CUT )================
— lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:42.520780283 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:51.362682708 -0500
@@ -25,8 +25,8 @@
$str =~ s/\]/~]/g;
# restore already escaped stuff:
$str =~ s/~~+\[/~[/g;
$str =~ s/~~+\]/~]/g;
$max = 0;
$min = 1;
=================( CUT )================
—++ Hotfix for Foswiki Production Release 1.0.0-1.0.10
Apply the above patch to Foswiki.pm, in the vicinity of line 4193
—++ Action Plan with Timeline
—++ External Links
[1] http://search.cpan.org/perldoc?Locale::Maketext
[2] http://foswiki.org/Support/SecurityAlert-CVE-2012-6329
[3] http://foswiki.org/Community/SecurityTaskTeam
[4] http://foswiki.org/Development/SecurityAlertProcess
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1666
[6] http://foswiki.org/Extensions/PatchItem12391Contrib