| VID |
21978 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The DokuWiki software is vulnerable to a remote command execution vulnerability in the 'bin/dwpage.php' script. DokuWiki is a freely available wiki application written in PHP. DokuWiki versions prior to 2006/03/09c are vulnerable to a remote command execution vulnerability, caused by improper validation of user-supplied input passed to the 'bin/dwpage.php' script. By sending a specially-crafted HTTP URL request to the 'bin/dwpage.php' script using the TARGET_FN parameter to specify a malicious file from the remote system, a remote attacker could obtain sensitive information and execute arbitrary code on the affected system.
* References:
http://www.frsirt.com/english/advisories/2006/3519
http://secunia.com/advisories/21819/
http://www.securityfocus.com/archive/1/445516
* Platforms Affected:
DokuWiki versions prior to 2006/03/09c
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of DokuWiki (2006/03/09c or later), available from the DokuWiki Project Web page at http://www.splitbrain.org/projects/dokuwiki
-- OR --
As a workaround, limit access to DokuWiki's 'bin' directory or delete 'bin/dwpage.php' file. |
| Related URL |
(CVE) |
| Related URL |
19911 (SecurityFocus) |
| Related URL |
28817 (ISS) |
|
