create new tag
, view all tags
What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
MOVED TO... Learn more.

Security Alert CVE-2014-9367: XSS Vulnerability with Scope and Other URL Parameters of WebSearch

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of two potential security issues with your TWiki installation: A specially crafted URL parameter to the WebSearch topic may expose a cross-site scripting vulnerability. (See also related SecurityAlert-CVE-2014-9325.)

Vulnerable Software Version

Attack Vectors

Attack can be done by viewing wiki pages or by logging in by issuing HTTP GET requests towards the TWiki server (usually port 80/TCP).


Specially crafted parameters open up XSS (Cross-Site Scripting) attacks.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 3 issue: TWiki content or browser is compromised.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-9367 to this vulnerability.


A malicious person can use specially crafted URL parameters to TWiki's WebSearch topic that execute arbitrary JavaScript code in the browser. Examples:

Specially crafted parameter to the view script of TWiki's WebSearch topic:

GET /do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')</script>

TWiki decodes the URL parameters and pops up a JavaScript alert box showing "CVE-2014-9367 vulnarable!"


  • Apply hotfix (see patch below).
  • Use the web server software to restrict access to the web pages served by TWiki.

Hotfix for TWiki Production Release

No TWiki patch release will be done to address this issue. Instead, apply the patches below.

Patch lib/TWiki.pm

Affected file: twiki/lib/TWiki.pm

The patch removes the single quote (') from the regular expression set in sub urlEncode of TWiki.pm:

--- lib/TWiki.pm   (revision 28490)
+++ lib/TWiki.pm   (working copy)
@@ -3178,7 +3178,7 @@
 sub urlEncode {
     my $text = shift;
-    $text =~ s/([^0-9a-zA-Z-_.:~!*'\/])/'%'.sprintf('%02x',ord($1))/ge;
+    $text =~ s/([^0-9a-zA-Z-_.:~!*\/])/'%'.sprintf('%02x',ord($1))/ge;
     return $text;

Patch TWiki system topics

Affected topics:

To patch, copy the source of these topics, and do a "Raw Edit" on your topics to replace their content.


Verify Hotfix

To verify the patch add the following parameter to TWiki's WebSearch topic:

http://twiki.example.com/do/view/TWiki/WebSearch?search=Search&scope='"--></style></script><script>alert('CVE-2014-9367 vulnarable!')

The site is vulnerable if consecutive dialog boxes are shown with text "CVE-2014-9367 vulnerable!"

Authors and Credits

Action Plan with Timeline

External Links

-- Peter Thoeny - 2014-12-18


Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2014-12-19 - PeterThoeny
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.