Vulnerabilities > CVE-2006-3336 - Unspecified vulnerability in Twiki

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

high complexity

twiki

nessus

NVD

Published: 2006-07-05

Updated: 2011-03-08

Summary

TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory.

Vulnerable Configurations

Part	Description	Count
Application	Twiki Twiki Twiki 4.0 Twiki Twiki 4.0.0 Twiki Twiki 4.0.1 Twiki Twiki 4.0.2 Twiki Twiki 4.0.3 Twiki Twiki 2000-12-01 Twiki Twiki 2001-09-01 Twiki Twiki 2001-12-01 Twiki Twiki 2003-02-01 Twiki Twiki 2004-09-01 Twiki Twiki 2004-09-02 Twiki Twiki 2004-09-03 Twiki Twiki 2004-09-04	13

Nessus

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_A876DF840FEF11DBAC96000C6EC775D9.NASL
description	A TWiki Security Alert reports : The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding. This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this.
last seen	2020-06-01
modified	2020-06-02
plugin id	22007
published	2006-07-10
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22007
title	FreeBSD : twiki -- multiple file extensions file upload vulnerability (a876df84-0fef-11db-ac96-000c6ec775d9)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(22007); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-3336"); script_bugtraq_id(18854); script_xref(name:"Secunia", value:"20992"); script_name(english:"FreeBSD : twiki -- multiple file extensions file upload vulnerability (a876df84-0fef-11db-ac96-000c6ec775d9)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A TWiki Security Alert reports : The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding. This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this." ); script_set_attribute( attribute:"see_also", value:"http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads" ); # https://vuxml.freebsd.org/freebsd/a876df84-0fef-11db-ac96-000c6ec775d9.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f527d788" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:twiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/05"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"twiki<4.0.4,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 18854 CVE(CAN) ID: CVE-2006-3336 TWiki是一款灵活易用、功能强大的企业协作平台。 TWiki对上传文件的后缀检查过滤不充分，远程攻击者可能利用此漏洞上传脚本文件执行，从而以Web进程权限在服务器上执行任意命令。 TWiki上传过滤器可以在上传的文件名后附加.txt后缀，以防执行.php、.php1、.phps、.pl之类的可执行脚本。但是，PHP和其他一些类型允许额外的文件后缀，如.php.en、.php.1和.php.2等。TWiki没有检查这些后缀，也就是可能没有添加.txt文件名后缀便上传一些PHP脚本，导致执行任意代码。 0 TWiki TWiki 4.0.3 TWiki TWiki 4.0.2 TWiki TWiki 4.0.1 TWiki TWiki 4.0.0 TWiki ----- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04 target=_blank>http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x00x04</a> <a href=http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads#Hotfixes target=_blank>http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads#Hotfixes</a>
id	SSV:2686
last seen	2017-11-19
modified	2007-12-26
published	2007-12-26
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-2686
title	TWiki脚本文件上传漏洞

Summary

Vulnerable Configurations

Nessus

Seebug

References