Title: Twig Remote Arbitrary Script Execution Vulnerability
Severity: HIGH
Description:
Twig is a popular web-based email system written in PHP3. Version 2.5.1 and possibly earlier versions of Twig contain a vulnerability that may allow a remote attacker to gain local access to the webserver on which it is installed with httpd privileges.
One of Twig's component scripts, index.php3, uses a variable called vhosts[], containing entries for each virtual host on the webserver. It is referenced in index.php3 when loading "include" PHP3 scripts, which will be interpreted and executed when loaded.
Unfortunately, this variable isn't initialized before it is referenced, making it possible for an attacker to remotely set its value to an arbitrary host. When index.php3 references values in this variable it will find the one set remotely by the attacker. The script will then attempt to retrieve a php3 include file from the host in the vhosts[] variable.
If this host serves valid php3 include files as requested by index.php3, the script will be loaded and its contents interpreted/executed.
Affected Products:
- Christopher Heschong Twig 2.5.1
References:
- Christopher Heschong: Twig Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
