cbcvebase.
CVE-2008-5305
published 2008-12-10

CVE-2008-5305: Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.64%
90.6th percentile
Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.

Affected

13 ranges
VendorProductVersion rangeFixed in
twikitwiki<= 4.2.3
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki
twikitwiki

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all
command%SEARCH{ date="P`pr -?`" search="xyzzy" }%
path/twiki/bin/view/Main/WebSearch
  • Detect exploit attempts by monitoring HTTP requests to TWiki's WebSearch endpoint containing URL-encoded backtick sequences (%60) within the 'search' or 'date' parameters, indicative of shell command injection via the %SEARCH{}% variable.
  • Alert on HTTP requests to TWiki search endpoints where the query string contains the literal pattern %SEARCH{ with backtick-delimited substrings in parameter values, as this is the injection vector for arbitrary Perl code execution.
  • Monitor for the canary string 'xyzzy' appearing in TWiki search parameters, as it is used in the known proof-of-concept exploit payload.
  • ·The vulnerability affects TWiki versions before 4.2.4; the eval injection is triggered via the %SEARCH{}% variable which fails to sanitize user-supplied input, allowing arbitrary Perl code execution.
  • ·The attack can be delivered directly through the application's search box as well as via a crafted URL, meaning both GET-parameter and form-POST monitoring is required for full coverage.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.