GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Aug 22, 2009 8:26 am Post subject: [ GLSA 200908-09 ] DokuWiki: Local file inclusion |
 |
|
Gentoo Linux Security Advisory
Title: DokuWiki: Local file inclusion (GLSA 200908-09)
Severity: high
Exploitable: remote
Date: August 18, 2009
Updated: August 19, 2009
Bug(s): #272431
ID: 200908-09
Synopsis
An input sanitation error in DokuWiki might lead to the dislosure of local
files or even the remote execution of arbitrary code.
Background
DokuWiki is a standards compliant Wiki system written in PHP.
Affected Packages
Package: www-apps/dokuwiki
Vulnerable: < 20090214b
Unaffected: >= 20090214b
Architectures: All supported architectures
Description
girex reported that data from the "config_cascade" parameter in
inc/init.php is not properly sanitized before being used.
Impact
A remote attacker could exploit this vulnerability to execute PHP code
from arbitrary local, or, when the used PHP version supports ftp://
URLs, also from remote files via FTP. Furthermore, it is possible to
disclose the contents of local files. NOTE: Successful exploitation
requires the PHP option "register_globals" to be enabled.
Workaround
Disable "register_globals" in php.ini.
Resolution
All DokuWiki users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-2009-02-14b" |
References
CVE-2009-1960
Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 2 times in total |
|
News & Announcements
