• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7080: CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Localization Urgent Closed   patch 5.1.3

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

TWiki:Main.GeorgeClark notified us of some issues with MAKETEXT.

Patch to sanitize MAKETEXT parameters:

--- TWiki.pm   (revision 24029)
+++ TWiki.pm   (working copy)
@@ -4329,8 +4329,23 @@
 
     # unescape parameters and calculate highest parameter number:
     my $max = 0;
-    $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
-    $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+    my $min = 1;
+    $str =~ s/~\[(\_(\d+))~\]/
+              $max = $2 if ($2 > $max);
+              $min = $2 if ($2 < $min);
+              "[$1]"/ge;
+    $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/
+              $max = $2 if ($2 > $max);
+              $min = $2 if ($2 < $min);
+              "[$1]"/ge;
+
+    # Item7080: Sanitize MAKETEXT variable:
+    return "MAKETEXT error: No more than 32 parameters are allowed" if( $max > 32 );
+    return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 );
+    if( $TWiki::cfg{UserInterfaceInternationalisation} ) {
+        eval { require Locale::Maketext; };
+        $str =~ s#\\#\\\\#g if( $@ || !$@ && $Locale::Maketext::VERSION < 1.23 );
+    }
 
     # get the args to be interpolated.
     my $argsStr = $params->{args} || "";

-- TWiki:Main/PeterThoeny - 2012-12-10

Now listed at TWiki:Codev.SecurityAlert-CVE-2012-6329

-- TWiki:Main.PeterThoeny - 2012-12-14

See followup Item7145

-- TWiki:Main.PeterThoeny - 2013-02-14

ItemTemplate
Summary CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 5.1.2, 5.1.1, 5.1.0, 5.0.2, 5.0.1, 5.0.0, 4.3.2, 4.3.1, 4.3.0, 4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2.0, 4.1.2, 4.1.1, 4.1.0, 4.0.5, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0.0
SVN Range TWiki-5.1.3-trunk, Mon, 10 Dec 2012, build 24422
AppliesTo Engine
Component Localization
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:24428 TWikirev:24429 TWikirev:24430 TWikirev:24431 TWikirev:24432 TWikirev:24433 TWikirev:24434 TWikirev:24435 TWikirev:24436 TWikirev:24437 TWikirev:24438 TWikirev:24439
TargetRelease patch
ReleasedIn 5.1.3
Edit | Attach | Watch | Print version | History: r21 < r20 < r19 < r18 < r17 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r21 - 2013-02-14 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback