1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200606-16 / DokuWiki |
| Release Date | June 14, 2006 |
| Latest Revision | June 14, 2006: 01 |
| Impact | high |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-apps/dokuwiki | < 20060309-r1 | >= 20060309-r1 | All supported architectures |
Related bugreports: #135623
A flaw in DokuWiki's spell checker allows for the execution of arbitrary PHP commands, even without proper authentication.
DokuWiki is a simple to use wiki targeted at developer teams, workgroups and small companies.
Stefan Esser discovered that the DokuWiki spell checker fails to properly sanitize PHP's "complex curly syntax".
A unauthenticated remote attacker may execute arbitrary PHP commands - and thus possibly arbitrary system commands - with the permissions of the user running the webserver that serves DokuWiki pages.
There is no known workaround at this time.
All DokuWiki users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309-r1" |