CVE-2014-7236
published 2020-02-17CVE-2014-7236: Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins…
PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
55.64%
98.9th percentile
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| twiki | twiki | — | — |
| twiki | twiki | 4.0 – 4.0.5 | — |
| twiki | twiki | 4.1 – 4.1.2 | — |
| twiki | twiki | 4.2 – 4.2.4 | — |
| twiki | twiki | 4.3 – 4.3.2 | — |
| twiki | twiki | 5.0 – 5.0.2 | — |
| twiki | twiki | 5.1.0 – 5.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /do/view/Main/WebHome containing the 'debugenableplugins' parameter in the POST body, especially with URL-encoded semicolons (%3b) indicating chained Perl code injection. ↗
- →Monitor for HTTP POST requests to TWiki endpoints where the debugenableplugins parameter value contains semicolons or Perl syntax (e.g., 'print(', 'system(', 'require('), indicating attempted eval injection. ↗
- →Check requests use method POST; a probe/check request will contain a concatenated random alpha string printed via Perl print() to fingerprint the vulnerability before exploitation. ↗
- ·The exploit module defaults to 'BackupRestorePlugin' as the plugin name prepended to the injected code; defenders should note this default but attackers may substitute any valid installed plugin name. ↗
- ·The exploit targets TWiki versions 4.0.x through 6.0.0; versions 6.0.1 and later are patched and should not be vulnerable. ↗
- ·Payload compatibility requires cmd-type payloads with generic perl, python, or php; this constrains the payload types that will function with this exploit module. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TWiki Debugenableplugins - Remote Code Execution (Metasploit)
exploitdb·2015-03-19·CVSS 9.1
CVE-2014-7236 [CRITICAL] TWiki Debugenableplugins - Remote Code Execution (Metasploit)
TWiki Debugenableplugins - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'TWiki Debugenableplugins Remote Code Execution',
'Description' => %q{
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality.
The value of the debugenableplugins parameter is used without proper sanitization
in an Perl eval statement which allows remote code execution
},
'Author' =>
[
'Netanel Rubin', # from Check Point - Discovery
'h0ng10', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-7236'],
[ 'OSVDB', '112977'],
[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
],
'Pri
Metasploit
TWiki Debugenableplugins Remote Code Execution
metasploit
TWiki Debugenableplugins Remote Code Execution
TWiki Debugenableplugins Remote Code Execution
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Oct/44http://www.securityfocus.com/bid/70372http://www.securitytracker.com/id/1030981http://packetstormsecurity.com/files/128623/Twiki-Perl-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2014/Oct/44http://www.securityfocus.com/bid/70372http://www.securitytracker.com/id/1030981
2020-02-17
Published