Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135623 - www-apps/dokuwiki - arbitrary code execution / ACL bypass (CVE-2006-2878|CVE-2006-2945)
Summary: www-apps/dokuwiki - arbitrary code execution / ACL bypass (CVE-2006-2878|CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.hardened-php.net/advisory_...
Whiteboard: B1? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-05 06:06 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-06-22 03:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-06-05 06:06:31 UTC
DokuWiki comes with an AJAX spellchecking service that can be
   called by every visiting client without the need of authorization.
   
   Unfortunately the spellchecking service used the /e modifier of
   preg_replace() to handle links that are embedded in the text to
   translate in an unsafe way.
   
      // don't check links and medialinks for spelling errors
      $string = preg_replace('/\{\{(.*?)(\|(.*?))?(\}\})/e',
                             'spaceslink("\\1","\\2")',$string);
      $string = preg_replace('/\[\[(.*?)(\|(.*?))?(\]\])/e',
                             'spaceslink("\\1","\\2")',$string);
  
   Therefore it is possible to request a spellcheck for a string like
   
      [[{${phpinfo()}}]]
      
   which will result in the evaluation of something like
   
      spaceslink("{${phpinfo()}}",...);



http://www.hardened-php.net/advisory_042006.119.html
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-06 01:39:26 UTC
web-apps please advise and provide an updated ebuild as necessary.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-06-07 13:50:47 UTC
Here is a new one... mail taken from the dokuwiki list:


Hi *!

Just send to the announcement list. BTW: Is everybody fine with me
copying the security announcements here? Or would you prefer getting
them via freshmeat only?

----

Just two days after the last security problem another flaw was
discovered. Luckily not as bad as the last one.

Andreas 
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-06-07 13:50:47 UTC
Here is a new one... mail taken from the dokuwiki list:


Hi *!

Just send to the announcement list. BTW: Is everybody fine with me
copying the security announcements here? Or would you prefer getting
them via freshmeat only?

----

Just two days after the last security problem another flaw was
discovered. Luckily not as bad as the last one.

Andreas Åkre Solberg discovered a security flaw which allows registered
users to view page content they usually have no access to. The problem
is in the way how a successful user profile change is handled.

This affects only installs which have Access Control Lists enabled (off
by default) and restricted the READ permission for certain pages even
for logged in users. Non-authenticated users can not exploit this bug.

The package available at http://www.splitbrain.org/go/dokuwiki was
updated again to reflect the change but fixing it manually is simple,
too. Info on how to do this is available at
http://bugs.splitbrain.org/?do=details&id=825

Andi

PS: I apologize for the trouble. Unfortunately the bigger and complex a
software gets the more likely security flaws are. I try hard to avoid
common mistakes but sometimes a bug slips through. If you are an
experienced PHP developer I encourage you to have a look at the code
(preferably the devel code) your self to help spotting such weaknesses -
the more people check, the better it gets.
Comment 4 frilled 2006-06-07 14:23:08 UTC
I'm fine with that. I personally chose DokuWiki for the non-dependance on a DB and I like it a lot. It's got its flaws like any other app, but it's definitely a "way to go" I support. Guess I'm in for some contribution sooner or later .-)

If maintainers ever falls short on this one, page me :D
Comment 5 frilled 2006-06-07 14:23:22 UTC
I'm fine with that. I personally chose DokuWiki for the non-dependance on a DB and I like it a lot. It's got its flaws like any other app, but it's definitely a "way to go" I support. Guess I'm in for some contribution sooner or later .-)

If maintainers ever fall short on this one, page me :D
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2006-06-11 10:36:41 UTC
Bumped, as dokuwiki-20060309-r1.  x86 will need to stabilise, so that we can remove dokuwiki-20050922.

Best regards,
Stu
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-11 12:03:09 UTC
x86 please test and mark stable.
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2006-06-12 13:58:02 UTC
Works nicely on my stable box. Marked x86.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 14:32:33 UTC
it's CVE-2006-2878, and probably CVE-2006-2945 too
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 14:48:42 UTC
(In reply to comment #8)
> it's CVE-2006-2878, and probably CVE-2006-2945 too
> 

CVE-2006-2945 is another issue, B4, doesn't merit a GLSA, but it has been corrected with the same version bump.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 11:07:51 UTC
Thx everyone.

GLSA 200606-16
Comment 12 Gokdeniz Karadag 2006-06-21 21:21:40 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > it's CVE-2006-2878, and probably CVE-2006-2945 too
> > 
> 
> CVE-2006-2945 is another issue, B4, doesn't merit a GLSA, but it has been
> corrected with the same version bump.
> 

I have upgraded to dokuwiki-20060309-r1 but the bug stated in CVE-2006-2945 is still present. I checked the php files, and the fix suggested by developer(*) is in place, around line 50 of inc/actions.php, but still a user can access restricted pages by changing their profile in access denied page.

(*) http://bugs.splitbrain.org/?do=details&id=825
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-22 03:51:47 UTC
> I have upgraded to dokuwiki-20060309-r1 but the bug stated in CVE-2006-2945 is
> still present. I checked the php files, and the fix suggested by developer(*)
> is in place, around line 50 of inc/actions.php, but still a user can access
> restricted pages by changing their profile in access denied page.
> 
> (*) http://bugs.splitbrain.org/?do=details&id=825
> 


mmm... this shoud be reported directly to the developer. Only him can act on this