Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Forum/Board/Portal)  >   TWiki Vendors:
TWiki Input Validation Hole in Search Function Lets Remote Users Execute Shell Commands
SecurityTracker Alert ID:  1012223
SecurityTracker URL:
CVE Reference:   CVE-2004-1037   (Links to External Site)
Updated:  Nov 16 2004
Original Entry Date:  Nov 13 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 20040901 and prior versions
Description:   A vulnerability was reported in TWiki. A remote user can execute shell commands on the target system.

Hans Ulrich Niedermann reported that the search function does not validate user-supplied input before executing a command line entry based on the input. A remote user can supply a specially crafted search string to execute arbitrary commands on the target system.

A demonstration exploit search string is provided:

doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2

The vendor was notified on November 12, 2004.

Impact:   A remote user can execute arbitrary shell commands on the target system with the privileges of the target web service.
Solution:   The vendor has provided a hotfix, available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 24 2004 (Gentoo Issues Fix) TWiki Input Validation Hole in Search Function Lets Remote Users Execute Shell Commands
Gentoo has released a fix.
Jan 14 2005 (Conectiva Issues Fix) TWiki Input Validation Hole in Search Function Lets Remote Users Execute Shell Commands
Conectiva has released a fix.

 Source Message Contents

Subject:  [Full-Disclosure] TWiki search function allows arbitrary shell command execution



- TWiki 20030201 (e.g. Debian Sarge)
- probably later versions

- Subversion repository at
  at least until revision 3224 (including)


HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.

Possibly also HTTP POST, but this is untested.


An attacker is able to execute arbitrary shell commands with the
privileges of the TWiki process.


The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell

An example search string would be:

doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2

If access to the Wiki is not restricted by other means, attackers can
use the search function without prior authentication.

As indicated in the source code, the software authors were aware that
the way they worked around Perl's taint check is insecure. Users of
TWiki should reconsider if the software can meet their security
requirements, given such gross negligence.


  - Hotfix (see patch at end of advisory)
    The hotfix is known to prevent the current attacks, but it might
    not be a complete fix.
  - Filter access to the web server.
  - Use the web server software to restrict access to the web pages
    served by TWiki.
  - Rewrite the TWiki code to correctly check user supplied strings.
  - Rewrite the TWiki code to use Perl code to open and scan the files
    instead of running commands in the shell.


  Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws,
  Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny,
  Florian Weimer contributed to this advisory.


--- twiki/lib/TWiki/	2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/	2004-11-12 20:36:21.000000000 +0100
@@ -135,6 +135,11 @@
     my $tempVal = "";
     my $tmpl = "";
     my $topicCount = 0; # JohnTalintyre
+    # Hotfix for search string shell code insertion vulnerability
+    $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+    $theSearchVal = substr($theSearchVal, 0, 100); # limit string to reasonable length
     my $originalSearch = $theSearchVal;
     my $renameTopic;
     my $renameWeb = "";


  early October 2004   earliest confirmed attack

  2004-11-12           forensics revealed exploit
                       vendor contact
                       vendor responded, with less conservative hotfix

  2004-11-13           uncoordinated emergency disclosure

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC