Foswiki 'MAKETEXT' Variable Remote Command Execution Vulnerability Network Vulnerability

Summary

The host is installed with foswiki and is prone to remote command execution vulnerability.

Impact

Successful exploitation could allow attackers to execute shell commands by Perl backtick (``) operators. Impact Level: System/Application

Solution

Upgrade to Foswiki version 1.1.7 or later or apply patch, http://foswiki.org/Support/SecurityAlert-CVE-2012-6329 http://foswiki.org/Support/SecurityAlert-CVE-2012-6330

Insight

flaw is due to improper validation of '%MAKETEXT{}%' foswiki macro (UserInterfaceInternationalisation is enabled) which is used to localize user interface content to a language of choice.

Affected

Foswiki version 1.0.0 through 1.0.10 and 1.1.0 through 1.1.6

References

http://foswiki.org/Support/SecurityAlert-CVE-2012-6329
http://foswiki.org/Support/SecurityAlert-CVE-2012-6330
http://osvdb.org/88410
http://secunia.com/advisories/51516
http://www.exploit-db.com/exploits/23580
http://xforce.iss.net/xforce/xfdb/80689

Updated on 2017-03-28

Severity

Classification

CVE CVE-2012-6329, CVE-2012-6330

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Admin Bot 'news.php' SQL Injection Vulnerability
Apache Struts2 Redirection and Security Bypass Vulnerabilities
Apache Struts ClassLoader Manipulation Vulnerabilities
ActivDesk Multiple Cross Site Scripting and SQL Injection Vulnerabilities
Alchemy Eye HTTP Command Execution

Foswiki 'MAKETEXT' variable Remote Command Execution Vulnerability

Take action and discover your vulnerabilities