header-logo
Suggest Exploit
vendor:
Foswiki
by:
Brian Carlson, juan vazquez
7,5
CVSS
HIGH
Remote Command Execution
94
CWE
Product Name: Foswiki
Affected Version From: Foswiki 1.1.5
Affected Version To: Foswiki 1.1.5
Patch Exists: YES
Related CWE: CVE-2012-6329
CPE: a:foswiki:foswiki
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0685/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2013-1667/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0746/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/suse-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/ibm-aix-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2012-6329/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-5195/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-5526/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unix
2012

Foswiki MAKETEXT Remote Command Execution

This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since the input is passed to the Perl 'eval' command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. Only Foswiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set) are vulnerable.

Mitigation:

Disable user interface localization
Source

Exploit-DB raw data:

Navigation

Suggest Exploit

Services By CQR