9月6日收到了twiki开发邮件列表的安全警报:twiki 4.0.x中发现了服务器端文件读取安全漏洞。黑客有可能通过这样的链接查看后台系统上的文件:
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
请尽快升级twiki 4.0.x 的系统:
===========================================================
--- View.pm (revision 11339)
+++ View.pm (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};
my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;
my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );
附:原邮件
作者:车东 发表于:2006-09-08 10:09 最后更新于:2007-04-22 21:04
Dear TWiki administrator,This advisory alerts you of a potential security issue
with your TWiki installation: Unauthorized user may view
arbitrary files of the server file system with the
viewfile script.NOTE: Please do not publicly announce until 2006-09-07,
but please feel free to forward this message to fellow
TWiki administrators.* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix
* Authors and Credits
* Action Plan with Timeline
* Feedback
* External Links
---++ Vulnerable Software Version* TWikiRelease04x00x04 -- TWiki-4.0.4.zip
* TWikiRelease04x00x03 -- TWiki-4.0.3.zip
* TWikiRelease04x00x02 -- TWiki-4.0.2.zip
* TWikiRelease04x00x01 -- TWiki-4.0.1.zip
* TWikiRelease04x00x00 -- TWiki-4.0.0.zip
---++ Attack VectorsSupply a specially crafted HTTP POST request on the TWiki
viewfile script.
---++ ImpactAn intruder is able to view arbitrary files on the server
file system that are readable by the webserver user, such
as user nobody or wwwrun. The server can potentially be
exploited by reading system files such as /etc/passwd.
---++ Severity LevelThe TWiki SecurityTeam [2] triaged this issue as documented
in TWikiSecurityAlertProcess [3] and assigned the following
severity level:* Severity 1 issue: The web server can be compromised
---++ MITRE Name for this VulnerabilityThe Common Vulnerabilities and Exposures project has
assigned the name CVE-2006-4294 [4] to this vulnerability.
---++ DetailsAll TWiki 4.0.x releases do not sanitize the filename
parameter of the viewfile script. This can used to read
arbitrary files on the server. For example,
http://example.com/bin/viewfile/TWiki/TWikiDocGraphics?rev=1;filename=../../../../../etc/passwd
dispays the content of the =/etc/passwd= file in the
browser.
---++ Countermeasures* Restrict access to the TWiki installation.
* Apply the hotfix indicated below.NOTE: The hotfix is known to prevent the current attacks,
but it might not be a complete fix
---++ HotfixThe accumulated Hotfix 3 for TWiki-4.0.4 contains an
improved version of the View.pm module, fixing the known
vulnerability. Hotfix 3 will be available at
http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03 in
a few days.If you prefer to fix your TWiki installation immediately,
add the line with "die" to the twiki/lib/TWiki/UI/View.pm
file:Index: View.pm
===========================================================
--- View.pm (revision 11339)
+++ View.pm (working copy)
@@ -356,6 +356,7 @@
my $topic = $session->{topicName};my $fileName = $query->param( 'filename' );
+ die "Illegal attachment name" if $fileName =~ m#[/\\]#;my $rev = $session->{store}->cleanUpRevID( $query->param( 'rev' ) );
---++ Authors and Credits* Credit to TWiki:Main.BenWheeler and
TWiki:Main.KoenMartens for disclosing the issue to
the twiki-security mailing list
* TWiki:Main.CrawfordCurrie for creating a fix
* TWiki:Main.KennethLavrsen for creating Hotfix 3 for
TWiki release 4.0.4
* TWiki:Main.PeterThoeny and TWiki:Main.KennethLavrsen
for creating the advisory
---++ Action Plan with Timeline* 2006-08-20 and 08-28: User discloses vulnerability to
twiki-security
* 2006-08-22: Developer verifies issue
* 2006-08-22: Developer creates fix
* 2006-08-31: Security team creates advisory
* 2006-09-05: Send alert to twiki-announce mailing list
and twiki-dev mailing list
* 2006-09-06: Developer creates Hotfix 3 (pending)
* 2006-09-07: Publish advisory on TWiki.org (pending)
* 2006-09-07: Issue a public security advisory (pending)---++ Feedback
Please provide feedback at the security alert topic [1],
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
---++ External Links[1]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2006-4294
[2]: http://twiki.org/cgi-bin/view/Codev/SecurityTeam
[3]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4294
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04
[6]: http://twiki.org/cgi-bin/view/Codev/HotFix04x00x04x03
-- __Contributors:__ PeterThoeny, CrawfordCurrie,
KennethLavrsen - 31 Aug 2006
版权声明:可以转载,转载时请务必以超链接形式标明文章 twiki 4.0.x 安全漏洞警告:服务端任意文件读取 的原始出处和作者信息及本版权声明。
http://www.chedong.com/blog/archives/001199.html
Comments
知道你是lucene的牛人.我是lucene的新手,正在一步步学习进行。我是在windows XP环境下进行的。今天在实验着体会demo环境.作到这里出了问题:
vi configuration.jsp <--将indexLocation 的值改为 "$TOMCATHOME/webapps/lucenedb";
之前我在环境变量里设置了TOMCAT_HOME环境变量。所以这里修改成了"$TOMCAT_HOME/webapps/lucenedb",保存后执行
jar -ur luceneweb.war luceneweb 首先提示没有r这个参数。我去掉r,加了个v,运行很长时间也没有反应。后来把"$TOMCAT_HOME/webapps/lucenedb" 修改为"c:\fullpath-of-tomcat\webapps\lucenedb",去jar的时候还是出不来,请问这是什么回事,谢谢!
由: jiangeb 发表于 2006年09月08日 下午12时03分