cbcvebase.
CVE-2012-6329
published 2013-01-04

CVE-2012-6329: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.60%
99.1th percentile
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
debianperl< perl 5.14.2-16 (bookworm)perl 5.14.2-16 (bookworm)
perlperl<= 5.16.2
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl
perlperl

Detection & IOCsextracted from sources · hover to see the quote

command%MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%
url/bin/login
url/bin/edit
url/bin/save
url/do/login
url/do/edit
url/do/save
  • Detect MAKETEXT injection payloads in POST body containing backslash-quote sequences followed by backtick command execution: pattern `\\'}; \`<cmd>\`; { #`
  • Monitor POST requests to TWiki/Foswiki save endpoints (`/bin/save`, `/do/save`) containing `%MAKETEXT{` with embedded backtick shell metacharacters in the `text` parameter
  • Successful exploitation response body contains the string `HASH` — monitor view responses for this pattern as an indicator of eval execution
  • Exploitation requires `UserInterfaceInternationalisation` variable to be set; check for this in Foswiki/TWiki configuration as a prerequisite indicator
  • The vulnerability is triggered via Perl `eval` on unsanitized user input in Locale::Maketext's `_compile` function; look for eval-related Perl errors or unexpected process spawning from web server processes
  • ·Exploitation only works on TWiki/Foswiki instances with the `UserInterfaceInternationalisation` variable enabled; sites without this setting are not vulnerable
  • ·Anonymous exploitation is possible if no USERNAME/PASSWORD is required by the target; the module falls back to anonymous access automatically
  • ·The Foswiki exploit module bypasses anti-automation via an MD5 transformation of the `validation_key` combined with `FOSWIKISTRIKEONE` cookie value; detection should account for this CSRF bypass pattern

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.