| VID |
21718 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TWiki software is vulnerable to a command injection vulnerability via the rev parameter. TWiki is a Web-based collaboration platform designed for running a project development space, document management system, and a knowledge base, written in Perl. TWiki versions TWiki Release 02-Sep-2004 and earlier are vulnerable to a command injection vulnerability, caused by improper filtering of user-supplied input passed to the 'rev' parameter of the /cgi-bin/view/Main/TWikiUsers script. A remote attacker could send a specially-crafted URL request containing shell metacharacters to execute arbitrary system commands in the context of the web server.
* References:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
http://secunia.com/advisories/16820/
http://marc.theaimsgroup.com/?l=bugtraq&m=112680475417550&w=2
* Platforms Affected:
TWiki.org, TWiki Release 02-Sep-2004 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of the TWiki (TWikiRelease04Sep2004 or later), available from the TWiki Download Web site at http://twiki.org/getpackage.html |
| Related URL |
CVE-2005-2877 (CVE) |
| Related URL |
14834 (SecurityFocus) |
| Related URL |
22280 (ISS) |
|
