[dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 08 Sep 2006 09:36:25 +0200
Shit.
Okay we have a serious problem here. I just issued a warning on the
freshmeat announcement list. Everybody secure the bin directory as fast as
possible! Or just delete it if not needed.
Protecting the bin directory is a solution for the two existing exploits.
But I need help to evaluate some possible other risks mentioned in the text
below.
Julian Monteiro wrote:
http://www.milw0rm.com/exploits/2321
Ooops, I think this one is it:
/* software site: http://wiki.splitbrain.org/wiki:dokuwiki
there are some shell scripts in /bin folder and there is no .htaccess to
protect it: most dangerous one is dwpage.php, if register_argc_argv = On
it allows to copy/move files among folders because of $TARGET_FN var
directory traversal,
okay this can be fixed with a .htaccess for now.
also you can inject a shell by main doku.php script
sending a malicious X-FORWARDED-FOR http header
X-FORWARDED-FOR is used in inc/common.php to determine the IP of a user. The
used function changed drastically between the dokuwiki-2006-03-09 release
and the current devel. However I fail to see how an injection could be done
by faking this header. There may be the possibility of a JavaScript
injection if the value is printed unescaped somewhere but "inject a shell"
should be possible or is it?
(but you could do the same
uploading some file in /data/media folder through /lib/exe/media.php...,
I choosed the first solution)
This I do not understand at all. lib/exe/media.php when called via a
webserver will do all the usal checks for authentication and filetypes. Does
anyone see a problem here?
also, I noticed, you can disclose php configuration by
setting an http header like this calling the main doku.php
script:
X-DOKUWIKI-DO: debug
well, if debugging is enabled he could also use ?do=debug - no difference.
So that's not a problem.
Andi
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
- » [dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)