This advisory alerts you of a potential security issue with your Foswiki installation. A vulnerability has been reported against the core Perl module CPAN:Locale::Maketext, which Foswiki uses to provide translations when {UserInterfaceInternationalization} is enabled in the configuration. Because of this vulnerability it may be possible for a user to invoke arbitrary perl modules on the server through a crafted macro.
023db9151bd2be81fe7fb2120f8132f7dc0869271e0ab523331a0d259b93ee55This Metasploit module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. This works in TWiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set). If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the 'TwikiPage' option isn't provided, the module will try to create a random page on the SandBox space. The modules has been tested successfully on TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
6a462fdc51b0c493b941a326fd05e71eb12bf8bedb39c652d6c549a65bf5b2d5Foswiki versions 1.0.0 through 1.0.10 and 1.1.0 through 1.1.6 suffer from code injection and denial of service vulnerabilities.
777c5306e69ec99defa86aab14d0af12fc152b9499f1a6b5e5231a78d1e8095dTWiki versions 4.x and 5.1.0 through 5.1.2 suffers from a remote command execution vulnerability due to an underlying security issue in the Locale::Maketext CPAN module.
cb72251d574c616e51ff36e8cd83c9ea7e2a8b758b68d28544a8988cc1c489f9
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed