|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200411-33] TWiki: Arbitrary command execution Vulnerability Scan
Vulnerability Scan Summary TWiki: Arbitrary command execution
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200411-33
(TWiki: Arbitrary command execution)
The TWiki search function, which uses a shell command executed via
the Perl backtick operator, does not properly escape shell
metacharacters in the user-provided search string.
Impact
A possible hacker can insert malicious commands into a search request,
allowing the execution of arbitrary commands with the rights of the
user running TWiki (usually the Web server user).
Workaround
There is no known workaround at this time.
References:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1037
Solution:
All TWiki users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/twiki-20040902"
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|