cbcvebase.
CVE-2010-0288
published 2010-02-15

CVE-2010-0288: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOIT
Exploited in the wild
EPSS
10.55%
95.2th percentile
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
debiandokuwiki< dokuwiki 0.0.20090214b-3.1 (bookworm)dokuwiki 0.0.20090214b-3.1 (bookworm)
dokuwikidokuwiki<= release_2009-02-14
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki
dokuwikidokuwiki

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://server/plugins/acl/ajax.php?ajax=tree&ns=../pages/
urlhttp://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[save]=1&acl=(ACL)
urlhttp://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[del]=1&acl=(ACL)
urlhttp://server/lib/plugins/acl/ajax.php?ajax=info&id=wiki&acl_w=@ALL&cmd[update]=1&acl=(ACL)
pathplugins/acl/ajax.php
  • Monitor HTTP requests to /lib/plugins/acl/ajax.php containing query parameters 'cmd[save]', 'cmd[del]', or 'cmd[update]' from unauthenticated or non-admin sessions, indicating unauthorized ACL manipulation attempts.
  • Detect directory traversal attempts against the ACL ajax endpoint via the 'ns' parameter containing '../' sequences (e.g., ?ajax=tree&ns=../pages/).
  • Alert on modifications to acl.auth.php on the filesystem, which is the target file written by the exploit to add, delete, or update ACL authorization entries.
  • Flag requests to /lib/plugins/acl/ajax.php with 'acl_w=@ALL' in the query string, as this grants read/write access to all users and is a strong indicator of exploitation.
  • This vulnerability was exploited in the wild in January 2010; correlate web server logs from that period or ongoing for the specific URI patterns against unpatched DokuWiki 2009-12-25 installations.
  • ·The vulnerable path differs between the two PoC patterns: one uses '/plugins/acl/ajax.php' (directory traversal PoC) and the other uses '/lib/plugins/acl/ajax.php' (ACL manipulation PoC). Detection rules should cover both path variants.
  • ·The ACL permission values used in the exploit are numeric (1=read, 2=modified, 4=creation, 8=upload, 16=delete); detection logic should account for these specific integer values in the 'acl' parameter.
  • ·A related but separate CSRF vulnerability (CVE-2010-0289) also affects the ACL manager; the fix for CVE-2010-0288 (version 2009-12-25b) does not address CSRF, which was patched in version 2009-12-25c.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.