Vulnerability Note VU#362012
TWiki command execution vulnerability
The TWiki wiki software fails to validate input passed to certain URLs. By accessing a URL containing the TWiki configuration script, an attacker may be able to read arbitrary files.
TWiki is a wiki that is runs in the context of the Apache web server. TWiki is installed by configuring Apache, then accessing a configuration script from a web browser. Before executing the configuration script, the TWiki installation instructions provide a generator for Apache configuration directives that is designed to prevent unauthorized access to the script.
There is a command execution vulnerability in TWiki versions prior to 4.2.3. According to the TWiki download page, this issue can only be exploited if the configure script was not secured as described in step number 8 in the installation guide.
A remote attacker may be able to execute arbitrary commands or view arbitrary configuration files on a vulnerable system.
TWiki versions 4.2.0 and higher
This workaround is unlikely to be effective in many cases, such as when the server uses the https protocol. This firewall rule should be tested before using on a production system.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|TWiki||Affected||-||12 Sep 2008|
CVSS Metrics (Learn More)
Thanks to the TWiki team for information that was used in this report.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 12 Sep 2008
- Date First Published: 12 Sep 2008
- Date Last Updated: 17 Sep 2008
- Severity Metric: 38.25
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.