TWiki SEARCH shell command execution (HTTP_Web_App_Cmd_Exec)

About this signature or vulnerability

RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This event triggers when a specially crafted request is detected that could result in arbitrary command execution of the attackers choice.

Default risk level

High risk vulnerability High

Sensors that have this signature

RealSecure Server Sensor: XPU 28.150, RealSecure Network: XPU 28.150, BlackICE PC Protection: 3.6cri, Proventia-G 1.1 and earlier: XPU 28.150, Proventia Network MFS: XPU 28.150, Proventia Network IDS: XPU 28.150, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.300.2290, BlackICE Server Protection: 3.6.cri, IBM Security Server Protection for Windows: 1.0.914.2290, Proventia Network IPS: XPU 28.150, Proventia Desktop: 2290, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.150

Systems affected

TWiki TWiki: 4.0.0, TWiki TWiki: 4.0.1, TWiki TWiki: 4.0.2, TWiki TWiki: 4.0.3, TWiki TWiki: 4.0.4, TWiki TWiki: 4.0.5, TWiki TWiki: 4.1.0, TWiki TWiki: 4.1.2, TWiki TWiki: 4.2.0, TWiki TWiki: 4.1.1, TWiki TWiki: 4.2.1, TWiki TWiki: 4.2.2, TWiki TWiki: 4.2.3

Type

Unauthorized Access Attempt

Vulnerability description

TWiki could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of the user-supplied input prior to being used in an eval() call.. A remote attacker could exploit this vulnerability using a specially-crafted SEARCH variable or HTTP GET request containing a backtick operator to execute arbitrary shell commands with the privileges of the Web server.

How to remove this vulnerability

Upgrade to the latest version of TWiki (4.2.4 or later), available from the TWiki Web site. See References.

References

TWiki SecurityAlert-CVE-2008-5305
TWiki SEARCH variable allows arbitrary shell command execution
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305

IBM Internet Security Systems Protection Advisory December 5, 2008
TWiki 4.2.3 parseInterval Metacharacter Vulnerability
http://www.iss.net/threats/312.html

Twiki Web site
TWiki
http://www.twiki.org/

ISS X-Force
TWiki SEARCH shell command execution
http://www.iss.net/security_center/static/45293.php

CVE
CVE-2008-5305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305