TWiki View Script debugenableplugins Request Parameter Vulnerability

Added: 03/30/2015
CVE: CVE-2014-7236
BID: 70372
OSVDB: 112977

Background

TWiki is a web-based collaboration platform written in PERL.

Problem

The TWiki view script does not properly sanitize the debugenableplugins parameter before using it.

Resolution

Upgrade to TWiki-6.0.1 or higher, or apply the hotfix shown in the TWiki Security Alert.

References

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236

Limitations

Exploit works on vulnerable TWiki installations that do not require authentication. If the protocol is https, exploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. This module is available from http://www.cpan.org/modules/by-module/IO/.
Back to exploit index