 |
|
You are here: Foswiki>Support Web>SecurityAlert-CVE-2023-33756 (06 Aug 2023, MichaelDaum)Edit Attach
plain text
Security Alert: SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists Severity Level
Severity 1 issue: The web server can be compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessMITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2023-33756 to this vulnerability.Vulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1, Foswiki 2.1.4, Foswiki 2.1.4-RC1, Foswiki 2.1.4-RC2, Foswiki 2.1.4-RC3, Foswiki 2.1.5, Foswiki 2.1.5-RC, Foswiki 2.1.6, Foswiki 2.1.7
Attack Vectors
The EVAL feature of the plugin allows simple evaluation of formulas which are passed to the perl eval function. While there is filtering in place, the use of <, >, *, /, . and e allows to make statements such as the following: <*>. This statement returns the filename of the first file in the current directory. This basically is evaluating a perl file glob. This can be combined with the path traversal sequence ../ to get the first file in all directories from the installation folder up to the root folder. Furthermore, the regexes in place substitute the string "ee" with a single "e", which allows attackers to disclose the first file in a folder starting with the letter "e". For example:https://<target>/bin/view/System/SpreadSheetPlugin?formula=%24EVAL%28%24CHAR%2860%29../../../ee*/*+%24CHAR%2862%29%29While the use of % also allows access to hashmaps, we were not able to leverage it to access anything other than the current module name.
Impact
An attacker can gain information about the server such as paths or files.Details
No prerequisites are necessary, as the demo page is accessible without authentication.Countermeasures
- Apply hotfix to
Calc.pm. - Restrict unauthorized access to the System.SpreadSheetPlugin topic.
- Upgrade to the latest patched production FoswikiRelease02x01x08.
Authors and Credits
Abian Manuel Blome Siemens Energy Global GmbH & Co. KG Siemens Energy Cybersecurity Technologies SE CYS A&R TEC Otto-Hahn-Ring 6 81739 Munich, Germany
Action Plan with Timeline
- 2023-05-17: email from Abian Manuel Blome
- 2023-05-17: first hotfix checked in to 2.1x and master branches
- 2023-05-17: filed a CVE-request
- 2023-05-17: updated hotfix multiple times
- 2023-05-17: applied hotfix to foswiki.org and blog.foswiki.org
- 2023-05-22: updated hotfix based on Abian's feedback
- 2023-05-23: reworked patch to trap any globbing within an
$EVLA()expression - 2023-05-31: CVE-2023-33756 was assigned
- 2023-08-06: fix released in Foswiki-2.1.8
Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy