Vulnerabilities > CVE-2006-4674 - Unspecified vulnerability in Andreas Gohr Dokuwiki
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Direct static code injection vulnerability in doku.php in DokuWiki before 2006-030-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php. Successful exploitation requires that "register_argc_argv" is enabled, which is the default setting. This vulnerability is addressed in the following product release: Andreas Gohr, DokuWiki, 2006-03-09c
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id DOKUWIKI_DWPAGE.NASL description The remote host is running DokuWiki, an open source wiki application written in PHP. The installed version of DokuWiki includes a script, last seen 2020-06-01 modified 2020-06-02 plugin id 22315 published 2006-09-08 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22315 title DokuWiki doku.php X-FORWARDED-FOR HTTP Header Arbitrary Code Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22315); script_version("1.19"); script_cve_id("CVE-2006-4674"); script_bugtraq_id(19911); script_xref(name:"EDB-ID", value:"2322"); script_name(english:"DokuWiki doku.php X-FORWARDED-FOR HTTP Header Arbitrary Code Injection"); script_summary(english:"Checks whether DocuWiki dwpage.php is accessible via http"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that should be removed or protected." ); script_set_attribute(attribute:"description", value: "The remote host is running DokuWiki, an open source wiki application written in PHP. The installed version of DokuWiki includes a script, 'bin/dwpage.php', that is intended as a command line tool for modifying pages. By accessing it through the web, an unauthenticated, remote attacker can abuse it to view local files and even execute arbitrary code, both subject to the privileges of the web server user id." ); # https://web.archive.org/web/20061011114634/http://retrogod.altervista.org/dokuwiki_2006-03-09b_cmd.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6748d421" ); script_set_attribute(attribute:"see_also", value:"https://www.freelists.org/post/dokuwiki/SECURITY-WARNING-was-Strange-attack-on-the-wiki" ); script_set_attribute(attribute:"solution", value: "Limit access to DokuWiki's 'bin' directory using, say, a .htaccess file or remove the affected script." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/08"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/07"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value: "cpe:/a:andreas_gohr:dokuwiki"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("dokuwiki_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/dokuwiki"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Test an install. install = get_kb_item(string("www/", port, "/dokuwiki")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Call the script's help function r = http_send_recv3(method: "GET", item:string(dir, "/bin/dwpage.php?-h"), port:port); if (isnull(r)) exit(0); # If it does... if ("Usage: dwpage.php [opts] <action>" >< r[2]) { security_hole(port); exit(0); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200609-10.NASL description The remote host is affected by the vulnerability described in GLSA-200609-10 (DokuWiki: Arbitrary command execution) last seen 2020-06-01 modified 2020-06-02 plugin id 22355 published 2006-09-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22355 title GLSA-200609-10 : DokuWiki: Arbitrary command execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200609-10. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22355); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-4674", "CVE-2006-4675", "CVE-2006-4679"); script_xref(name:"GLSA", value:"200609-10"); script_name(english:"GLSA-200609-10 : DokuWiki: Arbitrary command execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200609-10 (DokuWiki: Arbitrary command execution) 'rgod' discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR HTTP header, allowing the injection of arbitrary contents - such as PHP commands - into a file. Additionally, the accessory scripts installed in the 'bin' DokuWiki directory are vulnerable to directory traversal attacks, allowing to copy and execute the previously injected code. Impact : A remote attacker may execute arbitrary PHP (and thus probably system) commands with the permissions of the user running the process serving DokuWiki pages. Workaround : Disable remote access to the 'bin' subdirectory of the DokuWiki installation. Remove the directory if you don't use the scripts in there." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200609-10" ); script_set_attribute( attribute:"solution", value: "All DokuWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/dokuwiki-20060309d'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:dokuwiki"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/dokuwiki", unaffected:make_list("ge 20060309d"), vulnerable:make_list("lt 20060309d"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "DokuWiki"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FCBA5764506A11DBA5AE00508D6A62DF.NASL description Secunia reports : rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the last seen 2020-06-01 modified 2020-06-02 plugin id 22492 published 2006-10-02 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22492 title FreeBSD : dokuwiki -- multiple vulnerabilities (fcba5764-506a-11db-a5ae-00508d6a62df)
References
- http://bugs.splitbrain.org/index.php?do=details&id=906
- http://retrogod.altervista.org/dokuwiki_2006-03-09b_cmd.html
- http://secunia.com/advisories/21819
- http://secunia.com/advisories/21936
- http://security.gentoo.org/glsa/glsa-200609-10.xml
- http://securityreason.com/securityalert/1537
- http://www.securityfocus.com/archive/1/445516/100/0/threaded