LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

High Profile

High Profile

Posted Nov 18, 2004 9:27 UTC (Thu) by daniels (subscriber, #16193)
In reply to: High Profile by elanthis
Parent article: freedesktop.org site compromised

freedesktop.org was compromised via TWiki. The thing is, while we did not have evidence of privilege escalation, the kernel vulnerability used to compromise Debian was unknown (as a vulnerability) until after the fact. So, we took full images of the system and commenced a reinstall, and took a much-needed opportunity to have a serious think about our security mechanisms and do many cleanups, et cetera (our Apache configuration, in particular, was abysmal).

When I looked last night, the only place the advisory was on was packetstormsecurity.org, and there seems to be the possibility of a couple of places where shell commands need cleaning up; of course, you can't tell, because they spend a lot of time bypassing the Taint check. Given this, and the fact that the TWiki site does not acknowledge the existence of this hole via either notes on the site, or a new source release, I would very, very seriously recommend looking at something else. fd.o will be moving to Moin when we spring back up.

(Log in to post comments)

TWiki hole

Posted Nov 18, 2004 11:32 UTC (Thu) by colas (guest, #26092) [Link]

Daniel, on Fri, 12 Nov 2004 17:12:13 -0800 Peter Thoeny sent a security alert to all TWiki webmasters listed at http://twiki.org/cgi-bin/view/Main/TWikiInstallation
as soon as he was aware of the problem, that you can see at:

http://TWiki.org/cgi-bin/view/Codev/SecurityAlertExecuteC...
(Peter did not want to publish the exploit on the web before privately warning by email admins)

I see that you are not listed on the TWikiInstallation page :-(
I guess we (the twiki team) will have to push harder the TWiki site admins
to register there...
But, be assured that we take the security of TWiki seriously.

http://twiki.org/cgi-bin/view/Main/ColasNahaboo

TWiki hole

Posted Nov 18, 2004 12:09 UTC (Thu) by daniels (subscriber, #16193) [Link]

Thanks for your reply. But, surely now it's out in the wild, and people are being actively exploited (we weren't targetted specifically, it was just some Undernet script kiddie randomly scanning large swathes of the web, poking for Apache holes, formmail.pl, whatever), isn't it best to have it out on the site's main page, and a new release out the door with the patch? When I looked last night, neither of these have been done.

TWiki hole

Posted Nov 18, 2004 12:59 UTC (Thu) by colas (guest, #26092) [Link]

Well, what should be done is have all TWiki admins apply the patch, and I do not think they go to TWiki front page very often, so we must rely on other mecanism. So, let's take a small survey, in what way would you (and others reading this thread) have preferred to be warned of security problems?
[1] register on a dedicated twiki-security-alert mailing list
if we said: "please register to this mailing list" in install
instructions, would you have done so (or avoided by fear of spam?)
[2] via another (general) security mailing list (which one?)
[3] via TWiki engine automatically checking for available updates and
mailing you?

TWiki hole

Posted Nov 18, 2004 14:11 UTC (Thu) by hmh (subscriber, #3838) [Link]

[1] You do not have it yet? An announcement mailing list (moderated), where you send at most 1-2 emails/month and all security notices is really a must for any serious project.

[2] You should at the very least notify people through BugTrack, or a bunch of vendor security teams (make sure some Linux distributions are among them, please) which will get word to everyone else.

[3] This would be nice, but you better use proper cryptography to authenticate the updates...

So my reply is all of the above, and that there is no excuse for [1] not being deployed yet.

TWiki hole

Posted Nov 24, 2004 21:58 UTC (Wed) by maphew (guest, #1147) [Link]

>[2] You should at the very least notify people through BugTrack,

A notice was sent through BugTraq on Nov 12th. http://seclists.org/lists/bugtraq/2004/Nov/0187.html

TWiki hole

Posted Nov 24, 2004 22:42 UTC (Wed) by hmh (subscriber, #3838) [Link]

Then the TWiki users can't really complain that there was no notification of the issue, or that it was hidden away inside a Wiki. Maybe it could have been done better, but that's something else.

TWiki hole

Posted Nov 18, 2004 17:27 UTC (Thu) by bronson (subscriber, #4806) [Link]

Um, it is YOUR obligation to notify your users of security holes using any reasonable means possible, especially if the hole is already in the wild! This includes Bugtraq, your front page, your news section, your mailing lists, notifying all distributions that include your package, etc. Projects that do this well are PHP, Apache, Gallery, ISC software, etc.

At this point, it seems like the TWiki project has some serious damage control to perform. How are you going to assure your users that something like this will not happen again?

TWiki hole

Posted Nov 25, 2004 17:22 UTC (Thu) by Cato (subscriber, #7643) [Link]

Try searching for CAN-2004-1037 - this will find all the various reports of this vulnerability to a wide range of security email lists, including Bugtraq (most sent on Nov 12th).

TWiki hole

Posted Nov 18, 2004 18:07 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

Forget about any mechanism where you tell only registered TWiki users about bugs. The Twiki attempts to pressure people to register are wrong-headed, and there's nothing to stop black hats from subscribing to any mailing list you set up.

Don't hide bugs. Certainly it can be wise to let the good guys have a head start, for example by alerting any distros that package TWiki in advance. But once you know that people are actively exploiting a security hole, it's your obligation to alert the general public.

TWiki hole

Posted Nov 24, 2004 9:47 UTC (Wed) by Cato (subscriber, #7643) [Link]

I agree about the low-volume security alert list - not yet in place, but as one of the developers I will help to make sure this happens. Separately, we removed the requirement to register for <a href="http://twiki.org/download.html">TWiki downloads</a> a while back - in retrospect we should have created the announcement list then.
<p>
There is some discussion of the proposed TWiki <a href="http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertPro...">security alert process</a> at TWiki.org, please feel free to join in there.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds