DokuWiki ajax.php cmd[del] Parameter Security Bypass

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(44059);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");

  script_cve_id("CVE-2010-0288");
  script_bugtraq_id(37820);
  script_xref(name:"EDB-ID", value:"11141");
  script_xref(name:"Secunia", value:"38183");

  script_name(english:"DokuWiki ajax.php cmd[del] Parameter Security Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is hosting an application that is affected by a
security bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server is hosting a version of DokuWiki that is
affected by a security bypass vulnerability in the 'cmd[del]',
parameter of the 'lib/plugins/acl/ajax.php' script.

An attacker, exploiting this flaw, could modify modify the ACL
settings for a specified user or group.

Note that this vulnerability may affect several other parameters and that the
installed version of DokuWiki may also be affected by an information disclosure
vulnerability, although Nessus has not tested for those issues.");
  script_set_attribute(attribute:"see_also", value:"https://www.dokuwiki.org/changes#release_2009-12-25b_lemming");
  script_set_attribute(attribute:"solution", value:
"Upgrade to DokuWiki Release 2009-12-25b or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("dokuwiki_detect.nasl");
  script_require_keys("www/dokuwiki", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_abuses");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0, "The web server on port "+port+" does not support PHP.");

install = get_install_from_kb(appname:'dokuwiki', port:port);
if (isnull(install)) exit(1, "DokuWiki wasn't detected on port "+port+".");

group = SCRIPT_NAME + unixtime();
url = install['dir'] + '/lib/plugins/acl/ajax.php?ajax=info&id=' + group + '&acl_w=@' + group + '&cmd[del]=1&acl=(ACL)';

res= http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);

if (
  'Members of group <b class="aclgroup">' + group + '</b>' >< res[2] &&
  '&nbsp;Read</label>' >< res[2] &&
  '&nbsp;Edit</label>' >< res[2]
)
{
  if (report_verbosity > 0)
  {
    report = get_vuln_report(items:url, port:port);
    security_hole(port:port, extra:report);
  }
  else security_hole(port:port);
  exit(0);
}
else exit(0, 'The DokuWiki install at '+build_url(port:port, qs:install['dir']+'/doku.php') + ' is not affected.');