Vulnerabilities > CVE-2006-3336 - Unspecified vulnerability in Twiki

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
twiki
nessus

Summary

TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory.

Nessus

NASL familyFreeBSD Local Security Checks
NASL idFREEBSD_PKG_A876DF840FEF11DBAC96000C6EC775D9.NASL
descriptionA TWiki Security Alert reports : The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding. This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this.
last seen2020-06-01
modified2020-06-02
plugin id22007
published2006-07-10
reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/22007
titleFreeBSD : twiki -- multiple file extensions file upload vulnerability (a876df84-0fef-11db-ac96-000c6ec775d9)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(22007);
  script_version("1.14");
  script_cvs_date("Date: 2019/08/02 13:32:38");

  script_cve_id("CVE-2006-3336");
  script_bugtraq_id(18854);
  script_xref(name:"Secunia", value:"20992");

  script_name(english:"FreeBSD : twiki -- multiple file extensions file upload vulnerability (a876df84-0fef-11db-ac96-000c6ec775d9)");
  script_summary(english:"Checks for updated package in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote FreeBSD host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A TWiki Security Alert reports :

The TWiki upload filter already prevents executable scripts such as
.php, .php1, .phps, .pl from potentially getting executed by appending
a .txt suffix to the uploaded filename. However, PHP and some other
types allows additional file suffixes, such as .php.en, .php.1, and
.php.2. TWiki does not check for these suffixes, e.g. it is possible
to upload php scripts with such suffixes without the .txt filename
padding.

This issue can also be worked around with a restrictive web server
configuration. See the

TWiki Security Alert for more information about how to do this."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads"
  );
  # https://vuxml.freebsd.org/freebsd/a876df84-0fef-11db-ac96-000c6ec775d9.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f527d788"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:twiki");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"twiki<4.0.4,1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 18854 CVE(CAN) ID: CVE-2006-3336 TWiki是一款灵活易用、功能强大的企业协作平台。 TWiki对上传文件的后缀检查过滤不充分,远程攻击者可能利用此漏洞上传脚本文件执行,从而以Web进程权限在服务器上执行任意命令。 TWiki上传过滤器可以在上传的文件名后附加.txt后缀,以防执行.php、.php1、.phps、.pl之类的可执行脚本。但是,PHP和其他一些类型允许额外的文件后缀,如.php.en、.php.1和.php.2等。TWiki没有检查这些后缀,也就是可能没有添加.txt文件名后缀便上传一些PHP脚本,导致执行任意代码。 0 TWiki TWiki 4.0.3 TWiki TWiki 4.0.2 TWiki TWiki 4.0.1 TWiki TWiki 4.0.0 TWiki ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: &lt;a href=http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04 target=_blank&gt;http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04&lt;/a&gt; &lt;a href=http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads#Hotfixes target=_blank&gt;http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads#Hotfixes&lt;/a&gt;
idSSV:2686
last seen2017-11-19
modified2007-12-26
published2007-12-26
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-2686
titleTWiki脚本文件上传漏洞