{"vuid":"VU#757181","idnumber":"757181","name":"TWiki does not properly sanitize URI parameters","keywords":["TWiki","arbitrary code execution","URI","backtick operator","revision control function","rev parameter"],"overview":"A lack of input validation in the TWiki revision control function may allow a remote, unauthenticated attacker to execute arbitrary commands.","clean_desc":"TWiki is a web-based collaborative publishing environment. TWiki does not sanitize user-controlled URI parameters supplied to the revision control function for malicious content. Specifically, the rev parameter is not filtered for shell metacharacters before being used to construct a shell command. By sending a specially crafted URI to a system running TWiki, an remote, unauthenticated attacker may be able to execute arbitrary commands on that system. Note that exploits are publicly available for this vulnerability. More detailed information is available in the TWiki Security Alert.","impact":"By sending a specially crafted URI to TWiki, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the CGI process, typically nobody.","resolution":"Apply hotfix\nTWiki has release a hotfix to address this issue.","workarounds":"Restrict access Restricting access to TWiki to only trusted users will reduce the chances of exploitation.","sysaffected":"","thanks":"This vulnerability was reported by Sap. TWiki credits PeterThoeny, Crawford Currie, Sven Dowideit, Colas Nahaboo, Will Norris, Richard Donkin, B4dP4nd4 and Florian Weimer for providing information regarding this issue.","author":"This document was written by Jeff Gennari.","public":["http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev","http://secunia.com/advisories/16820/","http://securitytracker.com/alerts/2005/Sep/1014918.html","http://www.securityfocus.com/bid/14834","http://twiki.org"],"cveids":["CVE-2005-2877"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-09-16T15:23:47Z","publicdate":"2005-09-14T00:00:00Z","datefirstpublished":"2005-09-20T15:07:31Z","dateupdated":"2005-10-04T19:45:43Z","revision":46,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"7","cam_impact":"19","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"12.5685","cam_scorecurrentwidelyknown":"16.05975","cam_scorecurrentwidelyknownexploited":"30.02475","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.5685,"vulnote":null}