Go to the FreeLists Home Page Home Signup Help Login 		 



[dokuwiki] || [Date Prev] [09-2006 Date Index] [Date Next] || [Thread Prev] [09-2006 Thread Index] [Thread Next]

[dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)

  • From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Fri, 08 Sep 2006 09:36:25 +0200
Shit.

Okay we have a serious problem here. I just issued a warning on the freshmeat announcement list. Everybody secure the bin directory as fast as possible! Or just delete it if not needed.

Protecting the bin directory is a solution for the two existing exploits. But I need help to evaluate some possible other risks mentioned in the text below.


Julian Monteiro wrote:
http://www.milw0rm.com/exploits/2321 
Ooops, I think this one is it:

/* software site: http://wiki.splitbrain.org/wiki:dokuwiki

   there are some shell scripts in /bin folder and there is no .htaccess to
   protect it: most dangerous one is dwpage.php, if register_argc_argv = On
   it allows to copy/move files among folders because of $TARGET_FN var
   directory traversal,


okay this can be fixed with a .htaccess for now.

   also you can inject a shell by main doku.php script
   sending a malicious X-FORWARDED-FOR http header

X-FORWARDED-FOR is used in inc/common.php to determine the IP of a user. The used function changed drastically between the dokuwiki-2006-03-09 release and the current devel. However I fail to see how an injection could be done by faking this header. There may be the possibility of a JavaScript injection if the value is printed unescaped somewhere but "inject a shell" should be possible or is it?

   (but you could do the same
   uploading some file in /data/media folder through /lib/exe/media.php...,
   I choosed the first solution)

This I do not understand at all. lib/exe/media.php when called via a webserver will do all the usal checks for authentication and filetypes. Does anyone see a problem here?

   also, I noticed, you can disclose php configuration by
   setting an http header like this calling the main doku.php
   script:

X-DOKUWIKI-DO: debug

well, if debugging is enabled he could also use ?do=debug - no difference. So that's not a problem.

Andi
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist




[ Home | Signup | Help | Login | Archives | Lists ]

All trademarks and copyrights within the FreeLists archives are owned by their respective owners.
Everything else ©2007 Avenir Technologies, LLC.