burt wrote:
So as to understand, to reiterate the quick fix,
These two exploits are serious attacks on dokuwiki:
http://www.milw0rm.com/exploits/2321 http://www.milw0rm.com/exploits/2322
The longer attack, 2311 operates:
(1) Use X-FORWARD-FOR: _inject_string_ during a do=edit post to create a lock file with _string_ in the lock file.
(2) Use GET bin/dwpage.php?_another_diabolical_string to move the lock file, giving it a php extension
This seems to take two steps., "commit" and "checkout"
(3) GET using the CLIENT-IP: _command_to_run_ to run the _inject_string_ with argument _command_to_run_
I really do expect myself to understand this completely, but I hope this is the basic idea.
*And the outcome is*
in the short term, prevent the running of bin/dwpage.php by creating bin/.htaccess containg the two lines:
Order deny,allow Deny from all
The web server does not need to be restarted, I believe.
However, this doesn't entirely neutralize the attack, it just stops one implementation of it ...
Correct?
Not entirely.
Cheers,
Chris