Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 163781 - www-apps/dokuwiki (versions < 2006-11-06) CRLF Injection Vulnerability CVE-2006-6965
Summary: www-apps/dokuwiki (versions < 2006-11-06) CRLF Injection Vulnerability CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/23926/
Whiteboard: B4 [glsa] Falco
Keywords:
: 150950 169833 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-01-25 17:37 UTC by Executioner
Modified: 2008-03-06 17:00 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Elias Probst's ebuild from bug #150950. (dokuwiki-20061106.ebuild,1.69 KB, text/plain)
2007-03-09 14:11 UTC, Philippe Chaintreuil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-01-25 17:37:54 UTC
unsticky has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to bypass certain restrictions.

Input passed to the "media" parameter in lib/exe/fetch.php is not properly sanitised before being used. This can be exploited to bypass certain restrictions via CRLF character sequences and inject arbitrary HTTP headers and HTTP body data in a request.

Successful exploitation e.g. makes it possible to conduct cross-site scripting attacks.

The vulnerability is confirmed in version 2006-03-09e. Other versions may also be affected.

Reproducible: Didn't try
Comment 1 Executioner 2007-01-25 21:09:57 UTC
Noticed this XSS too... 
http://www.securiteam.com/unixfocus/5YP0N1FKAE.html
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:15:33 UTC
ping web-apps
Comment 3 Executioner 2007-02-14 02:07:29 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6965
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-02-15 22:36:40 UTC
*** Bug 150950 has been marked as a duplicate of this bug. ***
Comment 5 Michael Klier 2007-02-16 10:40:21 UTC
This bug has been fixed as of 2006-10-17, see DokuWiki bugtracker [1] for further details.

[1] http://bugs.splitbrain.org/?do=details&id=935
Comment 6 Ian P. Christian 2007-02-25 04:18:07 UTC
new ebuild needed for latest version
Comment 7 Tomas Synek 2007-03-08 10:13:22 UTC
Hi, new version still out of portage? Why??

http://bugs.gentoo.org/show_bug.cgi?id=150950

dokuwiki-20061106.ebuild > http://bugs.gentoo.org/attachment.cgi?id=103294
"Changes: removed the last MY_PV argument, because this release doesn't have an
alphabetic character at the end of PV"

Wokrs fine for my amd64, please test and report... 
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2007-03-09 07:21:03 UTC
*** Bug 169833 has been marked as a duplicate of this bug. ***
Comment 9 Marco Clocchiatti 2007-03-09 12:57:18 UTC
(In reply to comment #8)
> *** Bug 169833 has been marked as a duplicate of this bug. ***
> 

I think that Bug 169833 shows one more thing: old dokuwiki version gives problems with new php.
So the new ebuild has to go soon in portage.
Comment 10 Philippe Chaintreuil 2007-03-09 14:11:17 UTC
Created attachment 112712 [details]
Elias Probst's ebuild from bug #150950.

Elias Probst originally submitted this ebuild under bug #150950.  Could someone please get it into the portage tree?  It's been there, waiting for someone to get it in since the beginning of December.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-13 23:02:40 UTC
ping web-apps: if you don't have time to maintain this package, then please put it in p.mask so that it will not be concerned by the security process anymore
Comment 12 Renat Lumpau (RETIRED) gentoo-dev 2007-03-13 23:52:30 UTC
(In reply to comment #11)
> ping web-apps: if you don't have time to maintain this package, then please put
> it in p.mask so that it will not be concerned by the security process anymore
> 

Please feel free to p.mask it - ramereth seems to be MIA
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:19:44 UTC
Security team, your opinion? Probably i will email -dev.

security vulnerabilities:

CVE-2006-6965
CVE-2006-5099
CVE-2006-5098
CVE-2006-4679
CVE-2006-4675
CVE-2006-4674
CVE-2006-2945
CVE-2006-2878
Comment 14 Matt Drew (RETIRED) gentoo-dev 2007-03-14 03:29:21 UTC
I've seen this in quite a few places in active use, I'd vote yes for a GLSA.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-14 07:38:26 UTC
I think you should mail -dev with maintainer wanted.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 21:46:53 UTC
-dev'ed

let's wait for a few days before masking it
Comment 17 Andrej Kacian (RETIRED) gentoo-dev 2007-03-15 22:36:20 UTC
I am using dokuwiki - although only lightly - and like it. Therefore I'll volunteer to take on its maintainership, because I really don't want it to go. 20061106 committed in the tree.

If someone is against it, or wishes to maintain dokuwiki more than me, just contact me.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-16 00:01:01 UTC
Nice, thanks a lot Andrej.

Hi x86, please test and mark stable dokuwiki-20061106, thanks!
Comment 19 Andrej Kacian (RETIRED) gentoo-dev 2007-03-16 06:51:51 UTC
x86 done
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-16 16:00:22 UTC
(In reply to comment #13)
> Security team, your opinion? Probably i will email -dev.
> 
> security vulnerabilities:
> 

2006-03-09e affected by: 

> CVE-2006-6965

not affected by:
> CVE-2006-5099
> CVE-2006-5098
> CVE-2006-4679
> CVE-2006-4675
> CVE-2006-4674
> CVE-2006-2945
> CVE-2006-2878
 

security please vote

Comment 21 Andrej Kacian (RETIRED) gentoo-dev 2007-03-16 17:47:53 UTC
(In reply to comment #20)
> (In reply to comment #13)
> > Security team, your opinion? Probably i will email -dev.
> > 
> > security vulnerabilities:
> > 
> 
> 2006-03-09e affected by: 
> 
> > CVE-2006-6965

Um, this is about 2006-11-06, not about 2006-03-09e (which I have already removed from the tree anyway, as 2006-11-06 has equal keywords).
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-03-16 19:32:25 UTC
(In reply to comment #20)
> (In reply to comment #13)
> 
> security please vote
> 

tending to vote yes, as it seems to be widely used.
Comment 23 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-16 21:07:48 UTC
(In reply to comment #21)
> 
> Um, this is about 2006-11-06, not about 2006-03-09e (which I have already
> removed from the tree anyway, as 2006-11-06 has equal keywords).
> 

Yep, I just wanted to make clear that we are only talking about one issue (CVE) and not the whole list, since we dealt with those in earlier GLSAs already ;-)

I also tend to vote yes btw.
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-17 08:40:21 UTC
I tend to vote YES.
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-26 22:02:33 UTC
i would vote "no" for the very weak impact, on a web-app that is typically prone to XSS issues.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-02 22:16:30 UTC
i'm filing a GLSA request due to your "yes" votes
Comment 27 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-12 14:17:09 UTC
GLSA 200704-08

thanks everyone