A serious security hole has been discovered in TWiki, the popular open source collaboration software. The vulnerability allows remote attackers to execute shell commands on affected systems, and is already being actively exploited, with some analysts warning that a worm could soon follow. A hotfix is available from the TWiki web site.
TWiki is an enterprise collaboration platform typically used on development projects. It is used for internal communications at companies including IBM, Yahoo, Circuit City, Reuters, Boeing, General Electric, Wachovia and ZoneLabs. Some large companies use it to run web-facing Wikis, such as British Telecom's UK Telco B2B Forum.
The TWiki program doesn't check URL parameters properly for shell metacharacters, leaving it vulnerable to revision numbers containing pipes and shell commands, according to the advisory. An exploit is possible on topics with two or more revisions, with the attacker gaining the same privileges as web server processes.
A Wiki is a web application that allows users to add content, as on an Internet forum, but also allows anyone to edit existing content. One popular example is Wikipedia, the user-compiled Internet encyclopedia, which has more than 700,000 entries. The TWiki web site has nearly 18,000 registered users.