A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.
To learn more about this problem, and to download a patch, go to:
TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.
Chas Tomlin provided us with the following Snort signature, which he put together with help from others:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=\d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)
This rule is also available from the Bleeding Snort website.
Sep 16th 2005
1 decade ago