发布日期:2013-02-18
更新日期:2013-02-20
受影响系统:
TWiki TWiki 5.1.0 - 5.1.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58024
CVE(CAN) ID: CVE-2013-1751
TWiki是一款灵活易用、功能强大的企业协作平台和知识管理系统。
%MAKETEXT{}% TWiki变量用于本地化用户界面内容。使用特制的MAKETEXT,恶意用户可通波浪符执行shell命令。
<*来源:John Lightsey (john@nixnuts.net)
链接:http://packetstormsecurity.com/files/cve/CVE-2013-1751
http://seclists.org/fulldisclosure/2013/Feb/105
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
---++ Hotfix for TWiki Production Release 5.1.x
Affected file: twiki/lib/TWiki.pm
Patch to sanitize MAKETEXT parameters:
=======( 8>< CUT )===============================================
--- TWiki.pm (revision 25065)
+++ TWiki.pm (working copy)
@@ -4328,8 +4328,8 @@
$str =~ s/\]/~]/g;
# restore already escaped stuff:
- $str =~ s/~~\[/~[/g;
- $str =~ s/~~\]/~]/g;
+ $str =~ s/~~+\[/~[/g;
+ $str =~ s/~~+\]/~]/g;
# unescape parameters and calculate highest parameter number:
my $max = 0;
=======( 8>< CUT )===============================================
This patch is handled at TWikibug Item7145 [8].
---++ Hotfix for Older Affected TWiki Releases
Apply above patch (line numbers may vary).
---++ Verify Hotfix
To verify the patch:
* Add this to a topic:
%MAKETEXT{"~~[quant,4, singular, plural, ~~]"}%
* Expected output with internationalization enabled:
[quant,4,singular,plural]
* Expected output with internationalization disabled:
~[quant,4,singular,plural~]
* Output on a vulnerable site:
~4 plural
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施降低威胁:
* 将{UserInterfaceInternationalisation}设置为0,禁用本地化
另外,安装CPAN:Locale::Maketext v1.23或更高版本;使用{SafeEnvPath}设置限制可执行目录,将{SafeEnvPath}设置为不可写目录列表中,例如:"/bin:/usr/bin"
厂商补丁:
TWiki
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://twiki.org/
