• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6784: DoS on bin/search with an asterisk wildcard using bookview

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   patch 5.1.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

There is DoS caused by searching for * on search/TWiki/

The following request:

curl -i 'http://www.twiki.org/cgi-bin/search/TWiki/?scope=topic&regex=on&bookview=on&search=%5C.*'

Will cause the bin/search cgi to eat the 100% the CPU of the server.

Tested on twiki 4.2.0 and also on 5.0.2

Also your own server (twiki.org) seems to be affected.

I saw googleboot making this kind of search on my server. I workarounded it with an apache rule that redirects any search with an asterisk to home.

RewriteCond %{QUERY_STRING} ^(.*)\*(.*)$
RewriteRule .*/cgi-bin/search/.* https://www.twiki.org/ [R,L]

I think that a CVE for this DoS is needed.

-- TWiki:Main/CarlosLopez - 2011-08-04

Thank you Carlos for reporting. Issue confirmed.

This is a severity 3 issue based on our security alert process, TWiki:Codev/TWikiSecurityAlertProcess - e.g. we handle this as a bug without a CVE.

-- TWiki:Main.PeterThoeny - 2011-08-04

The bookview takes a lot of CPU when there are many pages.

Fix: Limit the number of topics to 64 on a bookview.

-- TWiki:Main.PeterThoeny - 2011-08-04

This is now fixed in trunk and TWiki-5.0 branch.

-- TWiki:Main.PeterThoeny - 2011-08-04

Thanks Petter, I tested your patch and it solves the issue smile

-- TWiki:Main.CarlosLopez - 2011-08-05

ItemTemplate
Summary DoS on bin/search with an asterisk wildcard using bookview
ReportedBy TWiki:Main.CarlosLopez
Codebase ~twiki4, 5.0.2, 4.2.0
SVN Range TWiki-5.1.0-rc1, Mon, 18 Jul 2011, build 21779
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:21890 TWikirev:21891
TargetRelease patch
ReleasedIn 5.1.0
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r7 - 2011-08-22 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback