CVE-2006-3336 in TWiki
Summary
by MITRE
TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/22/2019
This vulnerability affects TWiki versions up to 4.0.3 and represents a critical file upload filter bypass that enables remote code execution through carefully crafted filenames with double extensions. The flaw stems from insufficient validation of file extensions during the upload process, allowing malicious actors to circumvent security measures designed to restrict file types. Attackers can exploit this vulnerability by uploading files with extensions like ".php.en" or ".php.1" which appear to be legitimate files but actually contain executable code. The vulnerability specifically leverages the fact that TWiki's upload filter does not properly handle filenames containing multiple dots, treating the final extension as the primary file type while ignoring intermediate extensions that might indicate malicious intent. This creates a dangerous scenario where files with extensions such as .php, .pl, or .cgi can be uploaded and executed on the server when the pub directory allows script execution. The security implications are severe as this vulnerability directly violates the principle of least privilege and can lead to complete server compromise. According to CWE-434, this represents a weakness in file upload validation where the system fails to properly validate file types, allowing potentially malicious files to be uploaded. The attack pattern aligns with ATT&CK technique T1190, which describes the exploitation of vulnerabilities in web applications to upload and execute malicious code. The vulnerability is particularly dangerous because it requires minimal user interaction and can be exploited through automated tools. The root cause lies in the server configuration that permits script execution in the pub directory, making the system vulnerable to any file upload that bypasses the filter. This creates a chain of compromise where an attacker can upload a web shell or other malicious code that executes with the privileges of the web server. The impact extends beyond simple code execution to include potential data exfiltration, system reconnaissance, and further lateral movement within the network. Organizations running affected TWiki versions must immediately implement proper file validation mechanisms and ensure that the pub directory does not allow script execution. The vulnerability demonstrates the critical importance of proper input validation and the need for defense-in-depth strategies that protect against multiple attack vectors simultaneously. Security practitioners should consider this vulnerability in the context of broader web application security practices and ensure that all file upload mechanisms properly validate both file content and extensions. The issue also highlights the importance of keeping software up to date and implementing proper access controls to prevent unauthorized code execution in sensitive directories. Organizations should also consider implementing additional monitoring and detection mechanisms to identify suspicious file upload activities and prevent exploitation of similar vulnerabilities in other applications.