CVE-2014-1216
Description
FitNesse Wiki versions up to 20140201 allow command injection via pageContent parameter, enabling remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FitNesse Wiki versions up to 20140201 allow command injection via pageContent parameter, enabling remote code execution.
Vulnerability
FitNesse Wiki versions 20131110, 20140201, and earlier are vulnerable to command injection. An attacker can embed arbitrary commands by setting the COMMAND_PATTERN and TEST_RUNNER parameters within the pageContent parameter when editing a page. This issue is classified as CWE-77: Improper Neutralization of Special Elements used in a Command [1].
Exploitation
An attacker with network access to the FitNesse Wiki interface can craft a malicious request to edit a page, inserting special values for COMMAND_PATTERN and TEST_RUNNER. The Metasploit module (exploit-db 32568) demonstrates exploitation against Windows targets, but the vulnerability is platform-agnostic. No authentication is required if the wiki allows anonymous page editing; otherwise, a valid account with edit permissions is needed. Steps: 1) Access the edit form for a page, 2) Set COMMAND_PATTERN to a command prefix (e.g., cmd /c), 3) Set TEST_RUNNER to the command to execute, 4) Save or trigger the page to cause execution [2].
Impact
Successful exploitation allows remote code execution with the privileges of the FitNesse server process. This leads to complete compromise of the confidentiality, integrity, and availability of the server and potentially the underlying system. The attacker could execute arbitrary system commands, install malware, or exfiltrate data [1][2].
Mitigation
As of the available references, no official patch has been released. FitNesse Wiki is reportedly in maintenance mode or discontinued. Users should consider migrating to an alternative wiki platform. Until then, restrict network access to the wiki interface and ensure only trusted users have edit permissions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.fitnesse:fitnesseMaven | >= 20131110, < 20140418 | 20140418 |
Affected products
3cpe:2.3:a:fitnesse:fitnesse_wiki:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:fitnesse:fitnesse_wiki:*:*:*:*:*:*:*:*range: <=20140201
- cpe:2.3:a:fitnesse:fitnesse_wiki:20131110:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of special elements in the pageContent parameter allows an attacker to define COMMAND_PATTERN and TEST_RUNNER variables, leading to command injection."
Attack vector
An unauthenticated attacker sends a GET request to a Wiki page with the `?edit` parameter to retrieve an edit form containing `editTime` and `ticketId` values [ref_id=1]. The attacker then sends a POST request to the same page with the `save` parameter and a crafted `pageContent` parameter that sets `COMMAND_PATTERN` and `TEST_RUNNER` to inject arbitrary operating system commands [ref_id=1]. When FitNesse subsequently runs a test using the modified page content, the injected command is executed on the server [CWE-77].
Affected code
The vulnerability exists in the page editing functionality of FitNesse Wiki versions 20140201, 20131110, and earlier. The `pageContent` parameter, submitted when editing a Wiki page, is not sanitized and allows an attacker to define `COMMAND_PATTERN` and `TEST_RUNNER` variables that control how FitNesse executes system commands [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory and exploit references indicate that FitNesse Wiki versions 20140201 and earlier are affected, but no fixed version or commit is provided [ref_id=1]. Remediation would require sanitizing or restricting the `COMMAND_PATTERN` and `TEST_RUNNER` variables in the `pageContent` parameter to prevent injection of arbitrary commands [CWE-77].
Preconditions
- configTarget must be running FitNesse Wiki version 20140201, 20131110, or earlier
- networkAttacker must be able to reach the FitNesse web interface over HTTP
- authNo authentication is required; the edit functionality is accessible without credentials
- inputAttacker must supply a crafted pageContent parameter containing COMMAND_PATTERN and TEST_RUNNER definitions
Reproduction
1. Send a GET request to a new Wiki page (e.g., `/TestP<random>?edit`) to retrieve the edit form and extract the `editTime` and `ticketId` values from the response [ref_id=1]. 2. Send a POST request to the same page with parameters: `save=Save`, `editTime=<extracted_value>`, `ticketId=<extracted_value>`, and `pageContent` containing `!define COMMAND_PATTERN {<malicious_command>}` and `!define TEST_RUNNER {<malicious_command>}` [ref_id=1]. 3. The injected command executes when FitNesse processes the page content [CWE-77].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.