| VID |
21747 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TWiki software, according to its version number, has a command injection vulnerability in the TWiki INCLUDE function. TWiki is a Web-based collaboration platform designed for running a project development space, document management system, and a knowledge base, written in Perl. TWiki versions TWiki Release 03-Sep-2004 and earlier are vulnerable to a command injection vulnerability, caused by improper filtering of user-supplied input passed to the 'rev' parameter of the INCLUDE variable. A remote attacker could send a specially-crafted URL request containing shell metacharacters to execute arbitrary system commands in the context of the web server.
* Note: This check solely relied on the version number of TWiki installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
* Platforms Affected:
TWiki.org, TWiki Release 03-Sep-2004
TWiki.org, TWiki Release 02-Sep-2004
TWiki.org, TWiki Release 01-Sep-2004
TWiki.org, TWiki Release 01-Feb-2003
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of the TWiki (TWikiRelease04Sep2004 or later), available from the TWiki Download Web site at http://twiki.org/getpackage.html |
| Related URL |
CVE-2005-3056 (CVE) |
| Related URL |
14960 (SecurityFocus) |
| Related URL |
(ISS) |
|
