-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: DokuWiki PHP code execution vulnerability in spellchecker
 Release Date: 2006/06/05
Last Modified: 2006/06/05
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: DokuWiki <= 2006/06/04
     Severity: DokuWiki's spellchecker allows remote PHP code execution
         Risk: Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_042006.119.html


Overview:

   Quote from http://www.dokuwiki.org/wiki:dokuwiki
   "DokuWiki is a standards compliant, simple to use Wiki, mainly aimed 
   at creating documentation of any kind. It is targeted at developer 
   teams, workgroups and small companies. It has a simple but powerful 
   syntax which makes sure the datafiles remain readable outside the 
   Wiki and eases the creation of structured texts. All data is stored 
   in plain text files - no database is required."
   
   During the evaluation of DokuWiki for a german/korean wiki of mine
   a flaw in DokuWiki's spellchecker was discovered, that allows 
   injecting arbitrary PHP commands, by requesting a spellcheck on
   PHP commands in 'complex curly syntax'.
   
   Because the spellchecker is written as part of the AJAX functionality
   of DokuWiki, it can be directly called by any website visitor, 
   without the need for a wiki account.


Details:

   DokuWiki comes with an AJAX spellchecking service that can be
   called by every visiting client without the need of authorization.
   
   Unfortunately the spellchecking service used the /e modifier of
   preg_replace() to handle links that are embedded in the text to
   translate in an unsafe way.
   
      // don't check links and medialinks for spelling errors
      $string = preg_replace('/\{\{(.*?)(\|(.*?))?(\}\})/e',
                             'spaceslink("\\1","\\2")',$string);
      $string = preg_replace('/\[\[(.*?)(\|(.*?))?(\]\])/e',
                             'spaceslink("\\1","\\2")',$string);
  
   Therefore it is possible to request a spellcheck for a string like
   
      [[{${phpinfo()}}]]
      
   which will result in the evaluation of something like
   
      spaceslink("{${phpinfo()}}",...);
      
   This is PHP's 'complex curly syntax' which allows to put complex
   expressions into string definitions.
   
   It should be obvious that this can be used to execute any kind of
   PHP code as long it does not include chars that are converted to
   htmlentities beforehand. A possible statement, that also takes
   care of magic_quotes_gpc setting would be
   
      eval(base64_decode($_POST[1]))

   The vulnerability is now fixed, according to our recommendation,
   by having replaced the use of the unsafe /e modifier with a call 
   to the better suited preg_replace_callback() function.

   Taking into account that exploiting this vulnerability is very
   simple and thinking about the number of DokuWiki installations
   it is very likely that a future worm will make use of this
   vulnerability.


Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.


Disclosure Timeline:

   04. June 2006 - Contacted DokuWiki developer by email
   04. June 2006 - Vendor released DokuWiki update
   05. June 2006 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the newest version of
   DokuWiki which you can download at:

   http://www.splitbrain.org/projects/dokuwiki
   
   Note: although the tarball is still labeled 2006-03-09 it
         meanwhile contains the hotfix for this vulnerability


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEg/MKRDkUzAqGSqERAnV1AKDvE97DWauc+8lhbfrTjD8qSgKIgACgoxF9
NtzKYXXbo6zaoCvAxL+MWQ4=
=UGk5
-----END PGP SIGNATURE-----