cbcvebase.
CVE-2004-1037
published 2005-03-01

CVE-2004-1037: The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.67%
99.1th percentile
The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.

Affected

1 ranges
VendorProductVersion rangeFixed in
twikitwiki

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/twiki/search/Main/
path/twiki/bin
url/twiki/bin/view/Main/WebSearch?search=
commandscope=text&order=modified&search=nonexistantttt\' ; (<COMMAND>) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt
command';echo${IFS}<content>${IFS}><testfile>.txt;#'
command';rm${IFS}-f${IFS}<testfile>.txt;#'
  • Detect shell metacharacter injection in the 'search' HTTP parameter sent to TWiki's search/WebSearch CGI endpoint. Look for characters such as single quotes, semicolons, backticks, and pipe symbols in the search parameter value.
  • Monitor HTTP GET and POST requests to paths matching /cgi-bin/twiki/search/ or /twiki/bin/view/Main/WebSearch with a 'search' parameter containing shell injection patterns (e.g., ${IFS}, semicolons, single quotes followed by shell commands).
  • Alert on HTTP requests to TWiki search endpoints where the search parameter contains the pattern: single-quote followed by semicolon and shell command tokens, characteristic of the pre/post string injection wrapper used by the public PoC exploit.
  • Detect use of ${IFS} shell variable substitution in HTTP query parameters targeting TWiki, as used by the Metasploit module to bypass space-character filtering in the search parameter.
  • Flag requests with User-Agent 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)' combined with shell metacharacters in the search parameter, as this is the default UA hardcoded in the public PoC exploit tool 'tweaky.pl'.
  • Affected TWiki versions to target for patching/detection scope: 20040901, 20030201, 20011201, 20001201, and SVN revisions up to and including 3224.
  • ·The Metasploit module targets the '/view/Main/WebSearch' endpoint under the configured URI base, while the standalone PoC (tweaky.pl) defaults to '/cgi-bin/twiki/search/Main/'. Defenders should monitor both path patterns as TWiki installations may vary.
  • ·The exploit supports both GET and POST HTTP methods for delivering the malicious search parameter; detection rules must cover both request methods.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.