Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 Feb 2019 18:08:00 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: ikiwiki: CVE-2019-9187: Server-side request forgery

Reference: https://ikiwiki.info/security/#cve-2019-9187
Affected versions: >= 1.13
Fixed versions: >= 3.20190228
Fixed versions (3.20170111.x branch): >= 3.20170111.1

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

The ikiwiki maintainers discovered that the aggregate plugin (a blog
aggregator) did not try to use the LWPx::ParanoidAgent Perl module, unlike
other parts of ikiwiki that request URIs. On sites where the aggregate
plugin is enabled, authorized wiki editors could tell ikiwiki to fetch
potentially undesired URIs even if LWPx::ParanoidAgent was installed:

* local files via file: URIs
* other URI schemes that might be misused by attackers, such as gopher:
* hosts that resolve to loopback IP addresses (127.x.x.x)
* hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)

This could be used by an attacker to publish information that should not have
been accessible, cause denial of service by requesting "tarpit" URIs that are
slow to respond, or cause undesired side-effects if local web servers implement
"unsafe" GET requests (https://tools.ietf.org/html/rfc7231#section-4.2.1).
(CVE-2019-9187)

Additionally, if the LWPx::ParanoidAgent module was not installed, the
blogspam, openid and pinger plugins would fall back to the ordinary LWP
module, which is susceptible to similar attacks. This is unlikely to be
a practical problem for the blogspam plugin because the URL it requests
is under the control of the wiki administrator, but the openid plugin
can request URLs controlled by unauthenticated remote users, and the
pinger plugin can request URLs controlled by authorized wiki editors.

This is addressed in ikiwiki 3.20190228 as follows, with the same fixes
backported to Debian 9 in version 3.20170111.1:

* URI schemes other than http: and https: are not accepted, preventing
  access to file:, gopher:, etc.

* If a proxy is configured in the ikiwiki setup file, it is used for all
  outgoing http: and https: requests. In this case the proxy is
  responsible for blocking any requests that are undesired, including
  loopback or RFC 1918 addresses.

* If a proxy is not configured, and LWPx::ParanoidAgent is installed,
  it will be used. This prevents loopback and RFC 1918 IP addresses, and
  sets a timeout to avoid denial of service via "tarpit" URIs.

* Otherwise, the ordinary LWP user-agent will be used. This allows requests
  to loopback and RFC 1918 IP addresses, and has less robust timeout
  behaviour. We are not treating this as a vulnerability: if this
  behaviour is not acceptable for your site, please make sure to install
  LWPx::ParanoidAgent or disable the affected plugins.

If your distribution includes an older version of ikiwiki, please either
update to a current version or backport the following commits:

* e7b0d4a "useragent: Raise an exception if the LWP module can't be loaded"
* 67543ce "useragent: Don't allow non-HTTP protocols to be used"
* d283e4c "useragent: Automatically choose whether to use LWPx::ParanoidAgent"
* 9a275b2 "doc: Document security issues involving LWP::UserAgent" (optional)

Regards,
    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.