cbcvebase.
CVE-2014-7236
published 2020-02-17

CVE-2014-7236: Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins…

PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
55.64%
98.9th percentile
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

Affected

7 ranges
VendorProductVersion rangeFixed in
twikitwiki
twikitwiki4.0 – 4.0.5
twikitwiki4.1 – 4.1.2
twikitwiki4.2 – 4.2.4
twikitwiki4.3 – 4.3.2
twikitwiki5.0 – 5.0.2
twikitwiki5.1.0 – 5.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/do/view/Main/WebHome
commanddebugenableplugins=BackupRestorePlugin%3b<perl_code>%3bexit
pathlib/TWiki/Plugins.pm
  • Detect HTTP POST requests to /do/view/Main/WebHome containing the 'debugenableplugins' parameter in the POST body, especially with URL-encoded semicolons (%3b) indicating chained Perl code injection.
  • Monitor for HTTP POST requests to TWiki endpoints where the debugenableplugins parameter value contains semicolons or Perl syntax (e.g., 'print(', 'system(', 'require('), indicating attempted eval injection.
  • Check requests use method POST; a probe/check request will contain a concatenated random alpha string printed via Perl print() to fingerprint the vulnerability before exploitation.
  • ·The exploit module defaults to 'BackupRestorePlugin' as the plugin name prepended to the injected code; defenders should note this default but attackers may substitute any valid installed plugin name.
  • ·The exploit targets TWiki versions 4.0.x through 6.0.0; versions 6.0.1 and later are patched and should not be vulnerable.
  • ·Payload compatibility requires cmd-type payloads with generic perl, python, or php; this constrains the payload types that will function with this exploit module.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.