Holes in TWiki allow the execution of shell commands
The developers of the open source Wiki system TWiki are reporting a critical hole that could allow attackers to compromise a web server. According to the advisory, the configuration script of all TWiki versions 4.0.x can be abused to load an attacker's Perl script onto the server. Shell commands can then be executed with the web server's privileges, generally as the user 'nobody.' The problem is related to an insufficient filtering of the TYPEOF parameter.
It is true that the configure script (twiki/bin/configure) will not allow any more changes to its settings without a password once first initialized by the admin. Yet as it is not protected by Apache's htaccess authentication or other measures, an attacker can access the configure script and upload his own code using an HTTP-POST request. The advisory even describes a sample exploit that creates a file on a vulnerable system using the Unix command touch. In principle, any command can be executed in this way, as long as the rights to do so are in effect. An attacker could also potentially exploit a local privilege elevation bug to gain root rights.
The developers are not certain, however, that the patch resolves all potential mutations of the problem and recommend the additional use of htaccess to protect access to the script. Instructions on doing so are provided in the error report.
- Configure script allows arbitrary shell command execution, advisory from TWiki Security Team