1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200704-08 / dokuwiki |
| Release Date | April 12, 2007 |
| Latest Revision | April 12, 2007: 01 |
| Impact | low |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-apps/dokuwiki | < 20061106 | >= 20061106 | All supported architectures |
Related bugreports: #163781
DokuWiki is vulnerable to a cross-site scripting attack.
DokuWiki is a simple to use wiki aimed at creating documentation.
DokuWiki does not sanitize user input to the GET variable 'media' in the fetch.php file.
An attacker could entice a user to click a specially crafted link and inject CRLF characters into the variable. This would allow the creation of new lines or fields in the returned HTTP Response header, which would permit the attacker to execute arbitrary scripts in the context of the user's browser.
Replace the following line in lib/exe/fetch.php:
Code Listing 3.1: Workaround |
with
Code Listing 3.2: Workaround |
All DokuWiki users should upgrade to the latest version:
Code Listing 3.3: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20061106" |