[dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)

• From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Fri, 08 Sep 2006 09:36:25 +0200

Shit.

Okay we have a serious problem here. I just issued a warning on the freshmeat announcement list. Everybody secure the bin directory as fast as possible! Or just delete it if not needed.

Protecting the bin directory is a solution for the two existing exploits. But I need help to evaluate some possible other risks mentioned in the text below.

Julian Monteiro wrote:

http://www.milw0rm.com/exploits/2321

Ooops, I think this one is it:

/* software site: http://wiki.splitbrain.org/wiki:dokuwiki

   there are some shell scripts in /bin folder and there is no .htaccess to
   protect it: most dangerous one is dwpage.php, if register_argc_argv = On
   it allows to copy/move files among folders because of $TARGET_FN var
   directory traversal,

okay this can be fixed with a .htaccess for now.

   also you can inject a shell by main doku.php script
   sending a malicious X-FORWARDED-FOR http header

X-FORWARDED-FOR is used in inc/common.php to determine the IP of a user. The used function changed drastically between the dokuwiki-2006-03-09 release and the current devel. However I fail to see how an injection could be done by faking this header. There may be the possibility of a JavaScript injection if the value is printed unescaped somewhere but "inject a shell" should be possible or is it?

   (but you could do the same
   uploading some file in /data/media folder through /lib/exe/media.php...,
   I choosed the first solution)

This I do not understand at all. lib/exe/media.php when called via a webserver will do all the usal checks for authentication and filetypes. Does anyone see a problem here?

   also, I noticed, you can disclose php configuration by
   setting an http header like this calling the main doku.php
   script:

X-DOKUWIKI-DO: debug

well, if debugging is enabled he could also use ?do=debug - no difference. So that's not a problem.

Andi
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

• Follow-Ups:
  • [dokuwiki] Re: SECURITY WARNING
    • From: Chris Smith
  • [dokuwiki] Re: SECURITY WARNING
    • From: Chris Smith

• References:
  • [dokuwiki] Strange attack on the wiki
    • From: Oliver Schulze L.
  • [dokuwiki] Re: Strange attack on the wiki
    • From: Burton Rosenberg
  • [dokuwiki] Re: Strange attack on the wiki
    • From: Julian Monteiro
  • [dokuwiki] Re: Strange attack on the wiki
    • From: Oliver Schulze L.

Other related posts:

• » [dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)

1. Home
2. dokuwiki
3. Archive
4. 09-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---