CVE-2008-5305
published 2008-12-10CVE-2008-5305: Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.64%
90.6th percentile
Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twiki | twiki | <= 4.2.3 | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
| twiki | twiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all↗
- →Detect exploit attempts by monitoring HTTP requests to TWiki's WebSearch endpoint containing URL-encoded backtick sequences (%60) within the 'search' or 'date' parameters, indicative of shell command injection via the %SEARCH{}% variable. ↗
- →Alert on HTTP requests to TWiki search endpoints where the query string contains the literal pattern %SEARCH{ with backtick-delimited substrings in parameter values, as this is the injection vector for arbitrary Perl code execution. ↗
- →Monitor for the canary string 'xyzzy' appearing in TWiki search parameters, as it is used in the known proof-of-concept exploit payload. ↗
- ·The vulnerability affects TWiki versions before 4.2.4; the eval injection is triggered via the %SEARCH{}% variable which fails to sanitize user-supplied input, allowing arbitrary Perl code execution. ↗
- ·The attack can be delivered directly through the application's search box as well as via a crafted URL, meaning both GET-parameter and form-POST monitoring is required for full coverage. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Input Validation
mitre_cwe
CWE-20 Improper Input Validation
CWE-20: Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Input validation is a frequently-used technique
for checking potentially dangerous inputs in order to
ensure that the inputs are safe for processing within the
code, or when communicating with other components. Input can consist of: raw data - strings, numbers, parameters, file contents, etc. metadata - information about the raw data, such as headers or size Data can be simple or structured. Structured data
can be composed of many nested layers, composed of
combinations of metadata and raw data, with other simple or
structured data. Many properties of raw data or metadata may n
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
mitre_cwe
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
Common Consequences:
Scope: Confidentiality. Impact: Read Files or Directories, Read Application Data. The injected code could access restricted data / files.
Scope: Access Control. Impact:
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
http://secunia.com/advisories/33040http://securitytracker.com/id?1021352http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305http://www.securityfocus.com/bid/32668http://www.vupen.com/english/advisories/2008/3381http://secunia.com/advisories/33040http://securitytracker.com/id?1021352http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305http://www.securityfocus.com/bid/32668http://www.vupen.com/english/advisories/2008/3381
2008-12-10
Published