Joined: 12 May 2004
|Posted: Sat Aug 22, 2009 8:26 am Post subject: [ GLSA 200908-09 ] DokuWiki: Local file inclusion
|Gentoo Linux Security Advisory
Title: DokuWiki: Local file inclusion (GLSA 200908-09)
Date: August 18, 2009
Updated: August 19, 2009
An input sanitation error in DokuWiki might lead to the dislosure of local
files or even the remote execution of arbitrary code.
DokuWiki is a standards compliant Wiki system written in PHP.
Vulnerable: < 20090214b
Unaffected: >= 20090214b
Architectures: All supported architectures
girex reported that data from the "config_cascade" parameter in
inc/init.php is not properly sanitized before being used.
A remote attacker could exploit this vulnerability to execute PHP code
from arbitrary local, or, when the used PHP version supports ftp://
URLs, also from remote files via FTP. Furthermore, it is possible to
disclose the contents of local files. NOTE: Successful exploitation
requires the PHP option "register_globals" to be enabled.
Disable "register_globals" in php.ini.
All DokuWiki users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-2009-02-14b"
Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 2 times in total