A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.

To learn more about this problem, and to download a patch, go to:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.

Chas Tomlin provided us with the following Snort signature, which he put together with help from others:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)

This rule is also available from the Bleeding Snort website.

Update: Joel Esler also shared the following signature with us that catches a greater number attack execution paths, and reduces the number of false positives:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?rev="; content:"|60|"; classtype:web-application-activity; rev:2;)

This version of the rule will be included in Snort's official rule set.