CVE-2010-0288 – dokuwiki 2009-12-25 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-0288
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. Una errata en el check del permiso de administrador del plugin ACL Manager (plugins/acl/ajax.php) de DokuWiki en versiones anteriores a la v2009-12-25b permite a atacantes remotos obtener privlegios y acceder a wikis cerrados editando las restricciones de ACL actuales, como se ha demostrado en Enero del 2010. • https://www.exploit-db.com/exploits/11141 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.html http://osvdb.org/61710 http://secunia.com/advisories/38183 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.debian.org/security/2010/dsa-1976 http://www.exploit-db.com/exploits/11141 http://www.s • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-0289
https://notcve.org/view.php?id=CVE-2010-0289
Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el plugin ACL Manager (plugins/acl/ajax.php) de DokuWiki en versiones anteriores a la v2009-12-25c. Permiten a atacantes remotos secuestrar la autenticación de los administradores para peticiones que modifican el acceso a las reglas de control de acceso, y otras peticiones sin especificar, a través de vectores de ataque desconocidos. • http://bugs.splitbrain.org/index.php?do=details&task_id=1853 http://freshmeat.net/projects/dokuwiki/tags/security-fix http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.html http://osvdb.org/61708 http://secunia.com/advisories/38205 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.debian.org/security/2010/dsa-1976 http://www.splitbrain.org/blog/2010-01/17-dok • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2010-0287 – dokuwiki 2009-12-25 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-0287
Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. Vulnerabilidad de salto de directorio en el plugin ACL Manager (plugins/acl/ajax.php) de DokuWiki en versiones anteriores a la v2009-12-25b permite a usuarios remotos listar los contenidos de directorios de su elección a través de .. (punto punto) en el parámetro ns. • https://www.exploit-db.com/exploits/11141 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.html http://secunia.com/advisories/38183 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.debian.org/security/2010/dsa-1976 http://www.exploit-db.com/exploits/11141 http://www.securityfocus.com/bid/37821 http& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2009-1960 – Dokuwiki 2009-02-14 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-1960
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs. inc/init.php de DokuWiki 2009-02-14, rc2009-02-06 y rc2009-01-30, cuando register_globals está habilitado, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través del parámetro config_cascade[main][default][] de doku.php. NOTA: también es posible una inclusión remota de fichero PHP en PHP v5 que utilice URLs ftp://. • https://www.exploit-db.com/exploits/8781 https://www.exploit-db.com/exploits/8812 http://bugs.splitbrain.org/index.php?do=details&task_id=1700 http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki%3Ba=commitdiff%3Bh=20090526145030-7ad00-c0483e021f47898c8597f3bfbdd26c637f891d86.gz http://secunia.com/advisories/35218 http://www.securityfocus.com/bid/35095 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2007-3930
https://notcve.org/view.php?id=CVE-2007-3930
Interpretation conflict between Microsoft Internet Explorer and DocuWiki before 2007-06-26b allows remote attackers to inject arbitrary JavaScript and conduct cross-site scripting (XSS) attacks when spellchecking UTF-8 encoded messages via the spell_utf8test function in lib/exe/spellcheck.php, which triggers HTML document identification and script execution by Internet Explorer even though the Content-Type header is text/plain. Conflicto de Interpretación entre Microsoft Internet Explorer y DocuWiki versiones anteriores a 2007-06-26b permite a atacantes remotos inyectar scripts JavaScript de su elección y conducir ataques de secuencias de comandos en sitios cruzados (XSS) mientras se comprueba la ortografía de mensajes codificados UTF-8 mediante la función spell_utf8test en lib/exe/spellcheck.php, que dispara identificación de documento HTML y ejecución de script mediante Internet Explorer aún siendo la cabecera Content-Type de tipo text/plain. • http://bugs.splitbrain.org/index.php?do=details&task_id=1195 http://osvdb.org/38319 http://secunia.com/advisories/26150 http://securityreason.com/securityalert/2908 http://wiki.splitbrain.org/wiki%3Achanges http://www.securityfocus.com/archive/1/474144/100/0/threaded http://www.securityfocus.com/bid/24973 http://www.vupen.com/english/advisories/2007/2617 https://exchange.xforce.ibmcloud.com/vulnerabilities/35501 •