Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A TWiki Vulnerability Allows Remote Code Execution - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A TWiki Vulnerability Allows Remote Code Execution
A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.

To learn more about this problem, and to download a patch, go to:

TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.

Chas Tomlin provided us with the following Snort signature, which he put together with help from others:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=\d+%20/i"; classtype:web-application-activity; reference:url,; sid:2002366; rev:2;)

This rule is also available from the Bleeding Snort website.

216 Posts
Sep 16th 2005

Sign Up for Free or Log In to start participating in the conversation!