CVE-2023-33756: SecurityAlert-CVE-2023-33756 < Support < Foswiki

plain text

Security Alert: SpreadSheetPlugin’s EVAL feature exposes infromation about paths and files on the server

Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

By abusing the SpreadSheetPlugin EVAL feature, it is possible to gain infromation about paths and files on the server.

• Severity Level
• MITRE Name for this Vulnerability
• Vulnerable Software Versions

Severity Level

Severity 1 issue: The web server can be compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-33756 to this vulnerability.

Vulnerable Software Versions

• Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1, Foswiki 2.1.4, Foswiki 2.1.4-RC1, Foswiki 2.1.4-RC2, Foswiki 2.1.4-RC3, Foswiki 2.1.5, Foswiki 2.1.5-RC, Foswiki 2.1.6, Foswiki 2.1.7

Fixed in Foswiki 2.1.8

Attack Vectors

The EVAL feature of the plugin allows simple evaluation of formulas which are passed to the perl eval function. While there is filtering in place, the use of <, >, *, /, . and e allows to make statements such as the following: <*>. This statement returns the filename of the first file in the current directory. This basically is evaluating a perl file glob.

This can be combined with the path traversal sequence …/ to get the first file in all directories from the installation folder up to the root folder. Furthermore, the regexes in place substitute the string “ee” with a single "e", which allows attackers to disclose the first file in a folder starting with the letter "e". For example:

https://<target>/bin/view/System/SpreadSheetPlugin?formula=%24EVAL%28%24CHAR%2860%29…/…/…/ee*/*+%24CHAR%2862%29%29

While the use of % also allows access to hashmaps, we were not able to leverage it to access anything other than the current module name.

Impact

An attacker can gain information about the server such as paths or files.

Details

No prerequisites are necessary, as the demo page is accessible without authentication.

Countermeasures

• Apply hotfix to Calc.pm.
• Restrict unauthorized access to the System.SpreadSheetPlugin topic.
• Upgrade to the latest patched production FoswikiRelease02x01x08.

Abian Manuel Blome Siemens Energy Global GmbH & Co. KG Siemens Energy Cybersecurity Technologies SE CYS A&R TEC Otto-Hahn-Ring 6 81739 Munich, Germany

Action Plan with Timeline

• 2023-05-17: email from Abian Manuel Blome
• 2023-05-17: first hotfix checked in to 2.1x and master branches
• 2023-05-17: filed a CVE-request
• 2023-05-17: updated hotfix multiple times
• 2023-05-17: applied hotfix to foswiki.org and blog.foswiki.org
• 2023-05-22: updated hotfix based on Abian’s feedback
• 2023-05-23: reworked patch to trap any globbing within an $EVLA() expression
• 2023-05-31: CVE-2023-33756 was assigned
• 2023-08-06: fix released in Foswiki-2.1.8