 |
|
Item15192: SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server
Priority: Security
Current State: Closed
Released In: 2.1.8
Target Release: patch
Current State: Closed
Released In: 2.1.8
Target Release: patch
Contact
Abian Manuel BlomeSiemens Energy Global GmbH & Co. KG Siemens Energy Cybersecurity Technologies SE CYS A&R TEC Otto-Hahn-Ring 6 81739 Munich, Germany
Problem description
By abusing the SpreadSheetPlugin EVAL feature, it is possible to gain information about paths and files on the server.How to reproduce
The EVAL feature of the plugin allows simple evaluation of formulas which are passed to the perl eval function. While there is filtering in place, the use of <, >, *, /, . and e allows to make statements such as the following: <*>. This statement returns the filename of the first file in the current directory. This basically is evaluating a perl file glob. This can be combined with the path traversal sequence ../ to get the first file in all directories from the installation folder up to the root folder. Furthermore, the regexes in place substitute the string "ee" with a single "e", which allows attackers to disclose the first file in a folder starting with the letter "e". For example:https://<target>/bin/view/System/SpreadSheetPlugin?formula=%24EVAL%28%24CHAR%2860%29../../../ee*/*+%24CHAR%2862%29%29While the use of % also allows access to hashmaps, we were not able to leverage it to access anything other than the current module name.
Impact
An attacker can gain information about the server such as paths or files.Prerequisites
No prerequisites are necessary, as the demo page is accessible without authentication.Timeline
- 2023-05-17: email from Abian Manuel Blome
- 2023-05-17: first hotfix checked in to 2.1x and master branches
- 2023-05-17: filed a CVE-request
- 2023-05-17: updated hotfix multiple times
- 2023-05-17: applied hotfix to foswiki.org and blog.foswiki.org
- 2023-05-22: updated hotfix based on Abian's feedback
- 2023-05-23: reworked patch to trap any globbing within an
$EVLA()expression - 2023-05-31: CVE-2023-33756 approved
Hotfix
Calc_pm.patch -- MichaelDaum - 17 May 2023 Besides this fix System.SpreadSheetPlugin will be view restricted to registered users only. -- MichaelDaum - 17 May 2023 Abian keeps on testing the hotfix. Holidays in between. -- MichaelDaum - 17 May 2023 New approach using Safe evaluation. -- MichaelDaum - 23 May 2023 Waiting for the official CVE ID to be assigned. -- MichaelDaum - 25 May 2023 More at Support.SecurityAlert-CVE-2023-33756 -- MichaelDaum - 31 May 2023ItemTemplate edit
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 patch |
Calc_pm.patch | manage | 2 K | 23 May 2023 - 11:27 | MichaelDaum |
Edit | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy