Vulners
Lucene search
Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Tuleap 9.6.99.86 Command Injection Vulnerability | 1 May 201700:00 | – | zdt |
 | CVE-2017-7981 | 1 May 201700:00 | – | circl |
 | Tuleap Project Wiki Command Injection Vulnerability | 2 May 201700:00 | – | cnvd |
 | CVE-2017-7981 | 29 Apr 201716:00 | – | cve |
 | CVE-2017-7981 | 29 Apr 201716:00 | – | cvelist |
 | Tuleap Project Wiki 8.3 9.6.99.86 - Command Injection | 1 May 201700:00 | – | exploitpack |
 | CVE-2017-7981 | 29 Apr 201716:59 | – | nvd |
 | Tuleap < 9.7 Remote OS Command Injection Vulnerability | 28 Jun 201700:00 | – | openvas |
 | Tuleap 9.6.99.86 Command Injection | 29 Apr 201700:00 | – | packetstorm |
 | Command injection | 29 Apr 201716:59 | – | prion |
10
# Tuleap - Command Injection in Project Wiki
**CVE:** CVE-2017-7981
**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
**Versions affected:** >= 8.3 and <= 9.6.99.86
## Introduction
Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.
## Background
Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.
The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
## Vulnerability
Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.
RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.
The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.
```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```
The result of the command execution can be seen in the image below.
## Versions Affected
This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.
## References
https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
https://tuleap.net/plugins/tracker/?aid=10159
## Credit
This vulnerability was discovered by Ben N ([email protected]) 19
April 2017.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 May 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 38.8
CVSS 29
EPSS0.12002