Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24698: SecurityAlert-CVE-2023-24698 < Support < Foswiki

Insufficient parameter validation in the Foswiki::Sandbox component of Foswiki v2.1.7 and below allows attackers to perform a directory traversal via supplying a crafted web request.

CVE
Open in Source
#vulnerability#web
  • About
  • Blog
  • Extensions
  • Documentation
  • Community
  • Development
  • Tasks
  • Download
  • Support
  • Sandbox

plain text

Security Alert: Local file inclusion vulnerability in viewfile

Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

The filename parameter isn’t validated sufficiently and may be used to read any file on the server.

  • Severity Level
  • MITRE Name for this Vulnerability
  • Vulnerable Software Versions

Severity Level

Severity 1 issue: The web server can be compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-24698 to this vulnerability.

Vulnerable Software Versions

  • Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1, Foswiki 2.1.4, Foswiki 2.1.4-RC1, Foswiki 2.1.4-RC2, Foswiki 2.1.4-RC3, Foswiki 2.1.5, Foswiki 2.1.5-RC, Foswiki 2.1.6, Foswiki 2.1.7

Fixed in Foswiki 2.1.8

Attack Vectors

A proof of concept isn’t included here for security reasons. The attack can be scripted using curl. The POC submitted by Steffen Weinreich allowed to read /etc/passwd but basically any file could be accessed such as lib/LocalSite.cfg containing sensitive information like passwords and configiration details.

Impact

Any file accessible by the user running the foswiki services (e.g. www-data) can be accessed using a specially crafted http request to the viewfile endpoint.

Details

The filename parameter isn’t validated sufficiently in Foswiki::Sandbox Basically any component using Foswiki::Sandbox::validateAttachmentName will be affected, not only viewfile. Yet viewfile is the most obvious vector.

Countermeasures

  • Apply hotfix in Tasks.Item15163

  • Upgrade to the latest patched production FoswikiRelease02x01x08.

  • Steffen Weinreich [email protected]

Action Plan with Timeline

  • 2022-08-05: Michael Daum was contacted by Steffen Weinreich [email protected]
  • 2022-08-05: The POC was confirmed and the bug was analysed
  • 2022-08-05: a preliminary patch was applied to foswiki.org and blog.foswiki.org to secure the system
  • 2022-08-05: hotfix made available, security ML was informed
  • 2022-08-06: updated hotfix
  • 2022-10-22: CVE Request 1349733 for CVE ID Request … first attempt
  • 2023-01-26: CVE Request 1397709 for CVE ID Request … second attempt
  • 2023-03-08: CVE-2023-24698 approved
  • 2023-08-06: fix released in Foswiki-2.1.8

Topic revision: r3 - 06 Aug 2023, MichaelDaum

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE