icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Twiki rev Parameter Arbitrary Shell Command Execution

High

Synopsis

An attacker can run arbitrary shell commands on the remote system.

Description

The remote host is running Twiki, an open-source wiki software written in Perl. This version of Twiki is vulnerable to a command insertion flaw. Specifically, an attacker sending a command (within backticks) to the 'rev' parameter would be able to execute arbitrary code on the web server. Example:

GET /cgi-bin/TwikiUsers?rev=1%20%7ccat%20/etc/passwd

Solution

Upgrade or patch according to vendor recommendations.