CERTVU:362012TWiki command execution vulnerability
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.124 Low
EPSS
Percentile
95.5%
Overview
The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files.
Description
TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script.
There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide.
Public exploit code has been released that targets this vulnerability. TWiki servers typically use predictable URLs and vulnerable systems may be found by querying search engines.
Impact
A remote attacker may be able to execute arbitrary commands or view arbitrary configuration files on a vulnerable system.
Solution
TWiki versions 4.2.0 and higher
The TWiki team has provided a configuration script to address this issue. The script is available here: <http://twiki.org/p/pub/Codev/TWikiRelease04x02x03/configure>
TWiki versions prior to 4.2.0
See <http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195#Hotfix_for_older_TWiki_versions> for more information and refer to step 8 in the Twiki installation guide.
Make the configure script not executable
Removing, renaming or marking the TWiki configure script (twiki/bin/configure) as not executable will prevent this vulnerability from being exploited.
Restrict access
Restricting access by using a web application or string-matching firewall to block URLs that contain the string /bin/configure may partially mitigate this vulnerability. An example of a string matching rule using iptables is:
iptables -A INPUT -p tcp --dport 80 -m string --string '/bin/configure' --algo bm -j DROP
This workaround is unlikely to be effective in many cases, such as when the server uses the https protocol. This firewall rule should be tested before using on a production system.
Vendor Information
362012
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
TWiki __ Affected
Updated: September 12, 2008
Status
Affected
Vendor Statement
See <http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03#4_2_3_Bugfix_Highlights> for more information.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide#8>
- <http://twiki.org/cgi-bin/view/TWiki.ApacheConfigGenerator>
- <http://twiki.org/p/pub/Codev/TWikiRelease04x02x03/configure>
- <http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195#Hotfix_for_older_TWiki_versions>
- <http://www.milw0rm.com/exploits/6269>
Acknowledgements
Thanks to the TWiki team for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | None |
|---|---|
| Severity Metric: | 38.25 Date Public: |
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.124 Low
EPSS
Percentile
95.5%