FreeBSD : twiki -- arbitrary shell command execution (b4af3ede-36e9-11d9-a9e7-0001020eed82)
Critical Nessus Plugin ID 36281
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionHans Ulrich Niedermann reports :
The TWiki search function uses a user-supplied search string to compose a command line executed by the Perl backtick (``) operator.
The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell commands.
IMPACT: An attacker is able to execute arbitrary shell commands with the privileges of the TWiki process.
SolutionUpdate the affected package.