Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Twiki rev Parameter Arbitrary Shell Command Execution

High

Synopsis

An attacker can run arbitrary shell commands on the remote system.

Description

The remote host is running Twiki, an open-source wiki software written in Perl. This version of Twiki is vulnerable to a command insertion flaw. Specifically, an attacker sending a command (within backticks) to the 'rev' parameter would be able to execute arbitrary code on the web server. Example:

GET /cgi-bin/TwikiUsers?rev=1%20%7ccat%20/etc/passwd

Solution

Upgrade or patch according to vendor recommendations.