GLSA
Bodhisattva
Joined: 13 Jun 2003
Posts: 4087
Location: Dresden, Germany
|
 Posted: Wed Nov 24, 2004 10:06 am Post subject: [ GLSA 200411-33 ] TWiki: Arbitrary command execution |
 |
|
Gentoo Linux Security Advisory
Title: TWiki: Arbitrary command execution (GLSA 200411-33)
Severity: high
Exploitable: remote
Date: November 24, 2004
Updated: September 08, 2006
Bug(s): #71035
ID: 200411-33
Synopsis
A bug in the TWiki search function allows an attacker to execute arbitrary
commands with the permissions of the user running TWiki.
Background
TWiki is a Web-based groupware tool based around the concept of wiki
pages that can be edited by anybody with a Web browser.
Affected Packages
Package: www-apps/twiki
Vulnerable: < 20040902
Unaffected: >= 20040902
Unaffected: < 20000000
Architectures: All supported architectures
Description
The TWiki search function, which uses a shell command executed via the
Perl backtick operator, does not properly escape shell metacharacters
in the user-provided search string.
Impact
An attacker can insert malicious commands into a search request,
allowing the execution of arbitrary commands with the privileges of the
user running TWiki (usually the Web server user).
Workaround
There is no known workaround at this time.
Resolution
All TWiki users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/twiki-20040902" |
References
TWiki Security Alert
CAN-2004-1037
Last edited by GLSA on Fri May 27, 2011 4:18 am; edited 4 times in total |
|
News & Announcements
