Summary
TWiki is prone to remote code-execution vulnerability.
Impact
Attackers can exploit this issue
to execute arbitrary code in the context of the webserver user.
Solution
Updates are available.
Insight
It is possible to execute arbitrary Perl code by adding a 'debugenableplugins=' parameter with a specially crafted value.
Affected
TWiki 6.0.0
TWiki 5.1.0 through TWiki 5.1.4
TWiki 5.0.0 through TWiki 5.0.2
TWiki 4.3.0 through TWiki 4.3.2
TWiki 4.2.0 through TWiki 4.2.4
TWiki 4.1.0 through TWiki 4.1.2
TWiki 4.0.0 through TWiki 4.0.5
Detection
Send a HTTP GET request and check the response.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-7236 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Apache Struts2 showcase namespace XSS Vulnerability
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- @Mail 'MailType' Parameter Cross Site Scripting Vulnerability
- Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities