|
[dokuwiki]
||
[Date Prev]
[02-2008 Date Index]
[Date Next]
||
[Thread Prev]
[02-2008 Thread Index]
[Thread Next]
[dokuwiki] Re: attempt to use possible vulnerability of dokuwiki
- From: Jonathan Dill <jonathan@xxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 06 Feb 2008 15:15:23 -0500
Hmm, I think the idea is to eventually take advantage of php url fopen
to use your server to arbitrarily execute PHP code or serve up malware.
If it works, they could post a URL like the ones from your logs on yet
another website, somebody clicks on that link, and your site executes
the remote PHP from yet another site, possibly malware. The potential
problem is not really dokuwiki per se but the underlying PHP and web
server configuration and whether or not that is up to date and secure.
Even if your server is OK, if you allow comments or posting to your
wiki, someone could post one of these URLs that points to another server.
For WordPress, someone has come up with a "fix" using .htaccess to block
posting of URLs.
http://news.go41.de/events/md5-just_a_test-htaccess-solution/
I think it would be safer to disable support for url fopen in PHP if
possible.
Jonathan
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
|
|
