Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution 

11. July 2023

Our Pentest Professionals at usd HeroLab love open source software as much as anyone. However, it should be secure as well. This is why Christian Pöschl, Senior Consultant IT Security at usd HeroLab, took a closer look at the open source software "Foswiki" in the context of our mission more security. He identified several vulnerabilities that allowed attackers to inject and execute malicious code remotely (remote code execution).

All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy and were quickly fixed by the release of the TopicInteractionPlugin version 9.20.

Our Pentest Professionals wrote this blog to raise awareness of these attack vectors and to help other IT security professionals and system administrators to identify and fix these vulnerabilities.

A detailed description can be found in our LabNews: https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-turned-remote-code-execution/

More details about the identified vulnerabilities can be found here: https://herolab.usd.de/en/security-advisories/

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories