FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

twiki -- remote Perl code execution

Affected packages
twiki < 5.1.4_1,1


VuXML ID 21ce1840-6107-11e4-9e84-0022156e8794
Discovery 2014-10-09
Entry 2014-10-31

TWiki developers report:

The debugenableplugins request parameter allows arbitrary Perl code execution.

Using an HTTP GET request towards a TWiki server, add a specially crafted debugenableplugins request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.


The TWiki site is vulnerable if you see a page with text "Vulnerable!".


CVE Name CVE-2014-7236