[dokuwiki] Fwd: DokuWiki - Full path disclosure

  • From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
  • To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
  • Date: Sun, 24 Jun 2012 11:48:26 +0200

Hi *,

I just got this report and wondering how to deal with it.The specified
problem can easily be fixed with a cast to string, but I guess we have
a bunch of other parameters as well that might cause warnings when
filled with a wrong parameter type...

Does anyone have a suggestion how to fix this at other places as well,
in a systematic manner? Would be grepping for _POST, _REQUEST, _GET to
build a list of all user inputs be a good idea? Then making sure each
of them can only contain the right type by going through the list?

Any better ideas?


---------- Forwarded message ----------
From: Felipe Pena <felipensp@xxxxxxxxx>
Date: Sun, Jun 24, 2012 at 12:34 AM
Subject: DokuWiki - Full path disclosure
To: andi@xxxxxxxxxxxxxx

Full path disclosure in DokuWiki

DokuWiki is a simple to use Wiki aimed at the documentation needs of a
small company. It works on plain text files and thus needs no
database. It has a simple but powerful syntax which makes sure the
datafiles remain readable outside the Wiki.

The POST input 'prefix' is not checked/casted for proper data type
before passing to PHP's substr() function, which lead to displays a
warning displays sensitive information:

  $PRE   = cleanText(substr($_POST['prefix'], 0, -1));

$ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null |
grep Warning
<b>Warning</b>:  substr() expects parameter 1 to be string, array
given in <b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br />
<b>Warning</b>:  Cannot modify header information - headers already
sent by (output started at /var/www/dokuwiki/doku.php:47) in
<b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br />

Affected versions:
- Angua (RC1)
- Rincewind
- Anteater

This vulnerability was discovered by Felipe Pena.
Twitter: @felipensp

Felipe Pena

DokuWiki mailing list - more info at

Other related posts: