-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: DokuWiki PHP code execution vulnerability in spellchecker Release Date: 2006/06/05 Last Modified: 2006/06/05 Author: Stefan Esser [sesser@hardened-php.net] Application: DokuWiki <= 2006/06/04 Severity: DokuWiki's spellchecker allows remote PHP code execution Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_042006.119.html Overview: Quote from http://www.dokuwiki.org/wiki:dokuwiki "DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files - no database is required." During the evaluation of DokuWiki for a german/korean wiki of mine a flaw in DokuWiki's spellchecker was discovered, that allows injecting arbitrary PHP commands, by requesting a spellcheck on PHP commands in 'complex curly syntax'. Because the spellchecker is written as part of the AJAX functionality of DokuWiki, it can be directly called by any website visitor, without the need for a wiki account. Details: DokuWiki comes with an AJAX spellchecking service that can be called by every visiting client without the need of authorization. Unfortunately the spellchecking service used the /e modifier of preg_replace() to handle links that are embedded in the text to translate in an unsafe way. // don't check links and medialinks for spelling errors $string = preg_replace('/\{\{(.*?)(\|(.*?))?(\}\})/e', 'spaceslink("\\1","\\2")',$string); $string = preg_replace('/\[\[(.*?)(\|(.*?))?(\]\])/e', 'spaceslink("\\1","\\2")',$string); Therefore it is possible to request a spellcheck for a string like [[{${phpinfo()}}]] which will result in the evaluation of something like spaceslink("{${phpinfo()}}",...); This is PHP's 'complex curly syntax' which allows to put complex expressions into string definitions. It should be obvious that this can be used to execute any kind of PHP code as long it does not include chars that are converted to htmlentities beforehand. A possible statement, that also takes care of magic_quotes_gpc setting would be eval(base64_decode($_POST[1])) The vulnerability is now fixed, according to our recommendation, by having replaced the use of the unsafe /e modifier with a call to the better suited preg_replace_callback() function. Taking into account that exploiting this vulnerability is very simple and thinking about the number of DokuWiki installations it is very likely that a future worm will make use of this vulnerability. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 04. June 2006 - Contacted DokuWiki developer by email 04. June 2006 - Vendor released DokuWiki update 05. June 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of DokuWiki which you can download at: http://www.splitbrain.org/projects/dokuwiki Note: although the tarball is still labeled 2006-03-09 it meanwhile contains the hotfix for this vulnerability GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEg/MKRDkUzAqGSqERAnV1AKDvE97DWauc+8lhbfrTjD8qSgKIgACgoxF9 NtzKYXXbo6zaoCvAxL+MWQ4= =UGk5 -----END PGP SIGNATURE-----