FreeLists / dokuwiki / [dokuwiki] Re: SECURITY WARNING

[dokuwiki] || [Date Prev] [09-2006 Date Index] [Date Next] || [Thread Prev] [09-2006 Thread Index] [Thread Next]

[dokuwiki] Re: SECURITY WARNING

From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Fri, 08 Sep 2006 14:04:58 +0200

Chris Smith writes:

Andreas Gohr wrote:
X-FORWARDED-FOR is used in inc/common.php to determine the IP of a user. The used function changed drastically between the dokuwiki-2006-03-09 release and the current devel. However I fail to see how an injection could be done by faking this header. There may be the possibility of a JavaScript injection if the value is printed unescaped somewhere but "inject a shell" should be possible or is it?
This one had me stumped. He seems to be showing different possibilities in this exploit (2321).

Its easy enough to get a valid php script into a dokuwiki page. We don't protect against that at all, simply edit a page and enter valid PHP into that page. Is that bad - they are, after all, files with a .txt extension?

The nastiness is being able to copy that dokuwiki page anywhere on the server, where if its given an appropriate extension it can be run by the webserver. Its the last two parts of the exploit code which do that. They don't need the first two parts to operate.

However for all that, the cleaning done by cleanIP is weak, as long as there is a valid IP address somewhere within the X-FORWARDED_FOR value it'll accept it and write it out unchanged to the lock file, making the lock file a valid php script. I don't see how there is any ability to execute that script in place. Hence it needs to be copied elsewhere, meaning the dwpage.php portion is the real vulnerability (as I mentioned earlier, there are easier way to place a valid php script into a file in the wiki than using this exploit).

Anyways, cleanIP can be improved by using the IP address match, rather than using the entire header content when it finds an IP address somewhere within that content.

Okay, thanks for your help in analysing this. If i understand you right, the X-FORWARDED-FOR could be used to insert php code into the lock.file whichisn't exploitable by it self. Only when moving this file to a filname with .php extension by using dwpage.php would make it exploitable, right.

But and attacker could insert php in a wikpage as well and the move this file through the dwpage.php file.

so to sum it up the vulnerability is in dwpage.php but cleaning the ip is a good idea anyway (it's already done in the current devel I think).

Andi


--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Follow-Ups:
- [dokuwiki] Re: SECURITY WARNING
  - From: Chris Smith

References:
- [dokuwiki] Strange attack on the wiki
  - From: Oliver Schulze L.
- [dokuwiki] Re: Strange attack on the wiki
  - From: Burton Rosenberg
- [dokuwiki] Re: Strange attack on the wiki
  - From: Julian Monteiro
- [dokuwiki] Re: Strange attack on the wiki
  - From: Oliver Schulze L.
- [dokuwiki] SECURITY WARNING (was: Strange attack on the wiki)
  - From: Andreas Gohr
- [dokuwiki] Re: SECURITY WARNING
  - From: Chris Smith