Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: A TWiki Vulnerability Allows Remote Code Execution - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A TWiki Vulnerability Allows Remote Code Execution
A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.

To learn more about this problem, and to download a patch, go to:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.

Chas Tomlin provided us with the following Snort signature, which he put together with help from others:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=\d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)

This rule is also available from the Bleeding Snort website.
Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!