DokuWiki Information Disclosure and Security Bypass Vulnerabilities


Description   Multiple vulnerabilities have been identified in DokuWiki, which could be exploited by remote attackers to disclose or manipulate sensitive information, or bypass security restrictions. These issues are caused by input and access validation errors in the "plugins/acl/ajax.php" script, which could allow attackers to list the contents of arbitrary directories, add arbitrary ACL rules or conduct cross site request forgery attacks.
     
Vulnerable Products   Vulnerable Software:
DokuWiki versions prior to 2009-12-25c
     
Solution   Upgrade to DokuWiki version 2009-12-25c : http://www.splitbrain.org/projects/dokuwiki
     
CVE   CVE-2010-0289
CVE-2010-0288
CVE-2010-0287
     
References   http://www.dokuwiki.org/changes
http://bugs.splitbrain.org/index.php?do=details&task_id=1853
http://bugs.splitbrain.org/index.php?do=details&task_id=1847
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2010-01-18 

 Target Type 
Server 

 Possible exploit 
Local & Remote