Security Alert: User Registration process can be compromised through user registration.

Attack Vectors

Remote guest user can register with a name that becomes the UserRegistration page. Registered users may be able to replace or modify the User Registration page. A similar vulnerability exists for the DefaultWebStatistics page, which is included into the WebStatistics reports.

Impact

If the System.UserRegistration page is overridden, it is possible that future registration submissions could be intercepted or modified. If the user simply registered as "User Registration", then it will be a denial of service, as the default Registration page will no longer be accessible.

If the System.DefaultWebStatistics page is overridden, it's possible to inject content into the WebStatistics reports.

Details

In Foswiki Wiki software 1.1.0 through 2.1.5, when the default User Registration page is enabled, a remote attacker can register using the "User" forename and the "Registration" surname, and consequently take control over the User Registration page. This could potentially lead to a phishing or other similar malicious action.

In Foswiki Wiki software 1.1.4 through 2.1.5, the System.DefaultWebStatistics topic is subject to the same vulnerability.

Foswiki 1.0.x is not vulnerable.

Existing Foswiki content and/or user data is not exposed

• To the best of our knowledge, only sites that use the default Foswiki user manager are affected.
• Sites that do not support new user registration are not vulnerable.
• Sites that have a custom %USERSWEB%.UserRegistration that is protected from changes are not vulnerable.
• Sites that support user registrations that have not provided a custom %USERSWEB%.UserRegistration may be vulnerable.

For the WebStatistics topic vulnerability:

• The exposure starts with Foswiki 1.1.4. Older versions are not vulnerable.
• If you do not run statistics generation, or you do not support new user registration, you are not vulnerable
• Sites that have a custom %USERSWEB%.DefaultWebStatistics that is protected from changes are not vulnerable.
• Sites that run statistics generation that have not provided a custom %USERSWEB%.DefaultWebStatistics may be vulnerable.

Countermeasures

• Apply hotfix (see patch below).
• Upgrade to the latest patched production FoswikiRelease02x01x06

Authors and Credits

This issue was detected internally by George Clark as part of routine testing.

Hotfix for Foswiki Production Release 1.1.0 - 2.1.5

If User Registration is active on your site, we recommend that administrators take the following actions immediately:

• If your site has a customized User Registration page:
  • Examine the permissions of the Main.UserRegistration page and confirm that the ACLs restrict any changes by unauthorized users.
  • If the page is not protected, examine the history and content to ensure there have been no undesirable changes.
• If your site does not have a custom User Registration page:
  • Copy the System.DefaultUserRegistration to the Usersweb UserRegistration page. Typically Main.UserRegistration.
  • Set the ACLs to prevent any unauthorized changes. Use the More topic actions -> Settings page, to set the ACL:

   * Set ALLOWTOPICCHANGE = AdminGroup 

If you run the Web Statistics tasks, we recommend that administrators take the following actions immediately:

• Follow the same steps as for UserRegistration.
  • If Main.DefaultWebStatistics exists, make sure it's protected.
  • If not, copy System.DefaultWebStatistics to Main.DefaultWebStatistics and ensure that it's protected.

By making this change, it prevents any user, or the user registration process from creating or changing the UserRegistration page, or the DefaultWebStatistics page.

Any sites using NatEditPlugin should also install the updated version that is available now. It contains some changes that will help ensure ACLs are preserved when topics are copied or edited.

We strongly recommend upgrading to FoswikiRelease02x01x06 as soon as it's available. Foswiki 2.1.6 will have additional controls that prevents any changes of certain critical topics that are overridden using the Usersweb. We intend to release 2.1.6 on Friday 2 March 2018.

Creating and protecting the topics Main.UserRegistration and Main.DefaultWebStatistics is sufficient to protect you from the identified vulnerability. The following patches provide some additional protections but are not required:

If you are unable to upgrade to Foswiki 2.1.6, the following patches are available:

• Patch for Foswiki 1.1.0 - 1.1.10
• Patch for Foswiki 2.0.0 - 2.1.5

If your site is using NatEditPlugin, the 25 Feb 2018 release of this extension should also be installed. If not, we suggest discontinuing use of NatEdit by removing the "natedit" skin from the SKIN setting.

The patch files update the following files:

• Foswiki 2.x: lib/Foswik.spec and lib/Foswiki/Access/TopicACLAccess.pm
• Foswiki 1.1.x: lib/Foswik.spec, lib/Foswiki/Meta.pm and lib/Foswiki/UI/Register.pm

The patch files can be installed with the linux patch utility, or can be applied manually.

• Make a backup.
• Download the appropriate patch for your system
• Change to the top directory of your foswiki installation (eg. /var/www/foswiki)
• Patch the system by running:

  patch -p1 < patchItem14629-<version> 

Action Plan with Timeline

• 2018-02-15 - Developer identifies issue (GeorgeClark)
• 2018-02-15 - Developer verifies issue (GeorgeClark)
• 2018-02-15 - Security team triage the issue (GeorgeClark, CrawfordCurrie, MichaelDaum)
• 2018-02-15 - Developer fixes code (GeorgeClark, MichaelDaum)
• 2018-02-23 - Security team creates advisory with hotfix (GeorgeClark, CrawfordCurrie)
• 2018-02-24 - Release Manager builds trial patch release, installed onto foswiki.org (GeorgeClark)
• 2018-02-26 - Send alert to foswiki-announce and foswiki-discuss mailing lists (GeorgeClark)
• 2018-03-02 - Make Foswiki 2.1.6 available
• 2018-03-07 - Publish advisory in Support web and update all related topics (GeorgeClark)