cbcvebase.
CVE-2005-2877
published 2005-09-16

CVE-2005-2877: The history (revision control) function in TWiki 02-Sep-2004 and earlier allows remote attackers to execute arbitrary code via shell metacharacters, as…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.10%
99.3th percentile
The history (revision control) function in TWiki 02-Sep-2004 and earlier allows remote attackers to execute arbitrary code via shell metacharacters, as demonstrated via the rev parameter to TWikiUsers.

Affected

5 ranges
VendorProductVersion rangeFixed in
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/cgi-bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd
path/twiki/bin/view/Main/TWikiUsers
commandrev=<num> `touch <file>`#
commandrev=<num> `rm -f <file>`#
command%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%
  • Monitor HTTP requests to TWiki's view script targeting TWikiUsers with a 'rev' parameter containing shell metacharacters (backtick, pipe '|', semicolon ';').
  • Alert on URL-encoded shell metacharacters in the 'rev' query parameter, e.g. %60 (backtick), %7C (pipe), %3B (semicolon) in requests to /cgi-bin/view/Main/TWikiUsers or equivalent TWiki view paths.
  • The exploit uses backtick command substitution injected into the rev parameter (e.g. '1 `touch file`#'); detect backtick characters or '#' terminators in the rev parameter value.
  • Affected TWiki versions to target for detection/patching: 20040902, 20040901, 20030201, 20011201, 20001201.
  • ·The exploit runs in the context of the web server user (privileged flag set to true in the module), meaning command execution occurs with web server privileges, not necessarily root.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.