[jira] [Resolved] (JSPWIKI-846) Potential Command Execution from Wiki.jsp & rss.jsp

Fri, 27 Jun 2014 07:54:50 -0700 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Harry Metske resolved JSPWIKI-846.
----------------------------------

    Resolution: Not a Problem

> Potential Command Execution from Wiki.jsp & rss.jsp
> ---------------------------------------------------
>
>                 Key: JSPWIKI-846
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-846
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.10.1
>            Reporter: Jeff LoBello
>
> Nessus reported the following potential vulnerability...
> Date: Fri 13 Jun 2014 15:29:51 MET
> Vuln#: 3CN39465 (counted)
> Vulnerability: CGI Generic Command Execution
> ToDo: Restrict access to the vulnerable application. Contact thevendor for a 
> patch or upgrade.
> CertRef: 
> Tool Reference: http://www.nessus.org/plugins/index.php?view=single&id=39465
> Comment: 
> NessusOutput:
> Port: 80/tcp
> Using the GET HTTP method, Nessus found that :
> + The following resources may be vulnerable to arbitrary command execution :
> + The 'page' parameter of the /wiki/Wiki.jsp CGI :
> /wiki/Wiki.jsp?page=echo%20NeS%20%20SuS
> -------- output --------
> <meta name="wikiBaseUrl" content='http://165.226.163.94/wiki/' 
> /> <meta name="wikiPageUrl" 
> content='/wiki/Wiki.jsp?page=%23%24%25' /> <meta 
> name="wikiEditUrl" content='/wiki/Edit.jsp?page=Echo%20NeS%20SuS' 
> />
> <meta name="wikiJsonUrl" content='/wiki/JSON-RPC' /> <meta 
> name="wikiPageName" content='Echo NeS SuS' />
> ------------------------
> + The 'page' parameter of the /wiki/rss.jsp CGI :
> /wiki/rss.jsp?page=echo%20NeS%20%20SuS
> -------- output --------
> Error 404: No such page Echo NeS SuS
> ------------------------
> Clicking directly on these URLs should exhibit the issue :
> (you will probably need to read the HTML source)
> http://165.226.163.94/wiki/Wiki.jsp?page=echo%20NeS%20%20SuS
> http://165.226.163.94/wiki/rss.jsp?page=echo%20NeS%20%20SuS
> I believe this is a false positive.  I did not see evidence of arbitrary 
> command injection, but nonetheless, I wanted to pass on the finding for your 
> analysis.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to