cbcvebase.
CVE-2012-6081
published 2013-01-03

CVE-2012-6081: Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin…

PriorityP277medium6CVSS 2.0
AVNACMAuSCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
30.57%
98.0th percentile
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012.

Affected

58 ranges· showing 25
VendorProductVersion rangeFixed in
moinmomoinmoin<= 1.9.5
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin
moinmomoinmoin

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/WikiSandBox?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py
urlhttp://<target>/WikiSandBox?action=twikidraw&do=modify&target=../../../../moin.wsgi
urlhttp://<target>/WikiSandBox?action=twikidraw&do=save&ticket=<ticket>&target=../../../plugin/action/moinexec.py
urlhttp://<target>/WikiSandBox?action=twikidraw&do=save&ticket=<ticket>&target=../../../../moin.wsgi
path../../../../moin.wsgi
command?action=twikidraw&do=modify&target=../../../../moin.wsgi
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:6; metadata:created_at 2013_06_28, cve CVE_2012_6081, signature_severity Major, updated_at 2024_03_06, reviewed_at 2024_02_06;)
  • Detect POST requests to MoinMoin with URI containing '?action=twikidraw' and '&target=' parameter ending in '../moin.wsgi' — this is the path traversal write to overwrite moin.wsgi for RCE.
  • The exploit first issues a GET to retrieve a ticket token via the twikidraw 'modify' action with a traversal target, then POSTs the payload using the 'save' action with the same traversal target. Detect both phases.
  • Exploitation targets Apache/mod_wsgi deployments by overwriting moin.wsgi. Check for unexpected modification timestamps or content changes on moin.wsgi.
  • The exploit drops a backdoor action plugin at plugin/action/moinexec.py; monitor for creation of unexpected .py files under the MoinMoin plugin/action directory.
  • After writing the webshell, the attacker triggers execution by requesting '?action=moinexec&c=[command]'; monitor for requests with action=moinexec in MoinMoin access logs.
  • The exploit was observed in the wild in July 2012 against the python.org wiki; see http://wiki.python.org/moin/WikiAttack2013 for incident details.
  • ·Exploitation requires the attacker to have write permissions on at least one MoinMoin wiki page (e.g. WikiSandBox). Anonymous exploitation is only possible if the wiki allows anonymous editing.
  • ·The Metasploit module overwrites moin.wsgi to achieve RCE; it attempts to restore the file post-exploitation but successful restoration is not guaranteed, potentially leaving the target wiki broken.
  • ·The RCE vector via moin.wsgi overwrite is specific to Apache/mod_wsgi deployments; other deployment configurations may not be exploitable via this exact method.
  • ·CVE-2012-6081 affects MoinMoin versions 1.9.x up to and including 1.9.5; version 1.9.6 contains the fix (patch at hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f).

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
ghsa6.0MEDIUM
osv6.0MEDIUM
vulncheck6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.