Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 163781

Summary: www-apps/dokuwiki (versions < 2006-11-06) CRLF Injection Vulnerability CVE-2006-6965
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chi, gentoo_bugs_peep, pookey, ramereth, ticho, web-apps, ziapannocchia
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/23926/
Whiteboard: B4 [glsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Elias Probst's ebuild from bug #150950. none

Description Executioner 2007-01-25 17:37:54 UTC 
unsticky has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to bypass certain restrictions.

Input passed to the "media" parameter in lib/exe/fetch.php is not properly sanitised before being used. This can be exploited to bypass certain restrictions via CRLF character sequences and inject arbitrary HTTP headers and HTTP body data in a request.

Successful exploitation e.g. makes it possible to conduct cross-site scripting attacks.

The vulnerability is confirmed in version 2006-03-09e. Other versions may also be affected.

Reproducible: Didn't try
Comment 1 Executioner 2007-01-25 21:09:57 UTC 
Noticed this XSS too... 
http://www.securiteam.com/unixfocus/5YP0N1FKAE.html
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:15:33 UTC 
ping web-apps
Comment 3 Executioner 2007-02-14 02:07:29 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6965
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-02-15 22:36:40 UTC 
*** Bug 150950 has been marked as a duplicate of this bug. ***
Comment 5 Michael Klier 2007-02-16 10:40:21 UTC 
This bug has been fixed as of 2006-10-17, see DokuWiki bugtracker [1] for further details.

[1] http://bugs.splitbrain.org/?do=details&id=935
Comment 6 Ian P. Christian 2007-02-25 04:18:07 UTC 
new ebuild needed for latest version
Comment 7 Tomas Synek 2007-03-08 10:13:22 UTC 
Hi, new version still out of portage? Why??

http://bugs.gentoo.org/show_bug.cgi?id=150950

dokuwiki-20061106.ebuild > http://bugs.gentoo.org/attachment.cgi?id=103294
"Changes: removed the last MY_PV argument, because this release doesn't have an
alphabetic character at the end of PV"

Wokrs fine for my amd64, please test and report...
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2007-03-09 07:21:03 UTC 
*** Bug 169833 has been marked as a duplicate of this bug. ***
Comment 9 Marco Clocchiatti 2007-03-09 12:57:18 UTC 
(In reply to comment #8)
> *** Bug 169833 has been marked as a duplicate of this bug. ***
> 

I think that Bug 169833 shows one more thing: old dokuwiki version gives problems with new php.
So the new ebuild has to go soon in portage.
Comment 10 Philippe Chaintreuil 2007-03-09 14:11:17 UTC 
Created attachment 112712 [details]
Elias Probst's ebuild from bug #150950.

Elias Probst originally submitted this ebuild under bug #150950.  Could someone please get it into the portage tree?  It's been there, waiting for someone to get it in since the beginning of December.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-13 23:02:40 UTC 
ping web-apps: if you don't have time to maintain this package, then please put it in p.mask so that it will not be concerned by the security process anymore
Comment 12 Renat Lumpau (RETIRED) gentoo-dev 2007-03-13 23:52:30 UTC 
(In reply to comment #11)
> ping web-apps: if you don't have time to maintain this package, then please put
> it in p.mask so that it will not be concerned by the security process anymore
> 

Please feel free to p.mask it - ramereth seems to be MIA
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:19:44 UTC 
Security team, your opinion? Probably i will email -dev.

security vulnerabilities:

CVE-2006-6965
CVE-2006-5099
CVE-2006-5098
CVE-2006-4679
CVE-2006-4675
CVE-2006-4674
CVE-2006-2945
CVE-2006-2878
Comment 14 Matt Drew (RETIRED) gentoo-dev 2007-03-14 03:29:21 UTC 
I've seen this in quite a few places in active use, I'd vote yes for a GLSA.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-14 07:38:26 UTC 
I think you should mail -dev with maintainer wanted.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 21:46:53 UTC 
-dev'ed

let's wait for a few days before masking it
Comment 17 Andrej Kacian (RETIRED) gentoo-dev 2007-03-15 22:36:20 UTC 
I am using dokuwiki - although only lightly - and like it. Therefore I'll volunteer to take on its maintainership, because I really don't want it to go. 20061106 committed in the tree.

If someone is against it, or wishes to maintain dokuwiki more than me, just contact me.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-16 00:01:01 UTC 
Nice, thanks a lot Andrej.

Hi x86, please test and mark stable dokuwiki-20061106, thanks!
Comment 19 Andrej Kacian (RETIRED) gentoo-dev 2007-03-16 06:51:51 UTC 
x86 done
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-16 16:00:22 UTC 
(In reply to comment #13)
> Security team, your opinion? Probably i will email -dev.
> 
> security vulnerabilities:
> 

2006-03-09e affected by: 

> CVE-2006-6965

not affected by:
> CVE-2006-5099
> CVE-2006-5098
> CVE-2006-4679
> CVE-2006-4675
> CVE-2006-4674
> CVE-2006-2945
> CVE-2006-2878
 

security please vote
Comment 21 Andrej Kacian (RETIRED) gentoo-dev 2007-03-16 17:47:53 UTC 
(In reply to comment #20)
> (In reply to comment #13)
> > Security team, your opinion? Probably i will email -dev.
> > 
> > security vulnerabilities:
> > 
> 
> 2006-03-09e affected by: 
> 
> > CVE-2006-6965

Um, this is about 2006-11-06, not about 2006-03-09e (which I have already removed from the tree anyway, as 2006-11-06 has equal keywords).
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-03-16 19:32:25 UTC 
(In reply to comment #20)
> (In reply to comment #13)
> 
> security please vote
> 

tending to vote yes, as it seems to be widely used.
Comment 23 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-16 21:07:48 UTC 
(In reply to comment #21)
> 
> Um, this is about 2006-11-06, not about 2006-03-09e (which I have already
> removed from the tree anyway, as 2006-11-06 has equal keywords).
> 

Yep, I just wanted to make clear that we are only talking about one issue (CVE) and not the whole list, since we dealt with those in earlier GLSAs already ;-)

I also tend to vote yes btw.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-17 08:40:21 UTC 
I tend to vote YES.
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-26 22:02:33 UTC 
i would vote "no" for the very weak impact, on a web-app that is typically prone to XSS issues.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-02 22:16:30 UTC 
i'm filing a GLSA request due to your "yes" votes
Comment 27 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-12 14:17:09 UTC 
GLSA 200704-08

thanks everyone