Hiki Advisory 2004-07-12
Hiki Development Team
Hiki is a Wiki clone in Ruby. A serious vulnerability in Hiki allows a remote attacker to obtain access to local resources on the system with the privileges of the CGI program. Furthermore, there are cross site scripting problems. This document describes details of the problems.
(1) Management authentication could be bypassed (<= 0.6.3, 0.7-devel-20040407)
When a Hiki is running with a password set, one is asked to enter the password when following the "Admin" link. If the password is correct, the user is lead in to the administrative mode and does not have to enter the password again as long as following the "OK" link. The problem was that the session is not controlled and anyone could change settings by making a fake query issued when following the "OK" link.
(2) Arbitrary Ruby code could be embedded in the configuration file (<= 0.6.4, 0.7-devel-20040618)
Settings of Hiki is stored into the configuration file as a Ruby script. Sanitization of the setting strings was not enough allowing the authenticated user to embed arbitrary code into the configuration file. The file is Kernel#eval'ed whenever the CGI is executed resulting in running the arbitrary code with the privileges of the CGI program.
As for Hiki versions 0.6.3 or earlier and 0.7-devel-20040407 or earlier, anyone could use this vulnerability bypassing the authentication the vulnerability described above. As for Hiki versions 0.6.4 and 0.7-devel-20040618, anyone could create a Hiki without a password on a HikiFarm, therefore could make use of this vulnerability.
(3) There are cross site scripting (XSS) problems (<= 0.6.4, 0.7-devel-20040618)
Sanitization of strings when creating an HTML output was not enough for Hiki versions 0.6.4 and 0.7-devel-20040618 as follows:
- base_css and theme_url
- search results
- page names in editing mode
- page name from `attach' plug-in
- theme_url and local_them_url from `local_css' plug-in
- title, style sheet URL and contents from `pagerank'
As for Hiki versions 0.6.3 or earlier and 0.7-devel-20040407 or earlier, there were XSS problems following points in addition to the points listed above:
- output from `rss' plug-in
(1) Management authentication could be bypassed
A session is created when the used follows "Admin" link. The session is checked whenever the setting is changed so that authentication can not be bypassed.
(2) Arbitrary Ruby code could be embedded in the configuration file
Configuration file is created through String#dump for String and Object#inspect for TrueClass and FalseClass so that the file can be safely Kernel#eval'ed.
(3) There are cross site scripting (XSS) problems
URIs are CGI.escap'ed and other strings are CGI.escapeHTML'ed whenever making an HTML output so that all the characters are sanitized before output.
Hiki Development Team has released Version 0.6.5 and 0.7.0-devel-20040626 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.
Following documents are updated regularly. Please check for the latest version.
- Hiki Official Site http://hikiwiki.org/
- Vulnerability of Hiki(20040628) http://www.namaraii.com/hiki/alert20040628-en.txt
- Lazy Diary (2004-06-28, in Japanese) http://www.namaraii.com/diary/?date=20040628
- Feminine diary (2004-06-28, in Japanese) http://kazuhiko.tdiary.net/20040628.html
- 2004/07/13 1.0 <http
- //www.namaraii.com/hiki/advisory20040712-en.txt.1.0>:First version in English.
- 2005/07/05 1.1 <http
- //hikiwiki.org/en/advisory20040712.html>:Revise URIs.