CVE-2010-0288
published 2010-02-15CVE-2010-0288: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOIT
Exploited in the wild
EPSS
10.55%
95.2th percentile
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dokuwiki | < dokuwiki 0.0.20090214b-3.1 (bookworm) | dokuwiki 0.0.20090214b-3.1 (bookworm) |
| dokuwiki | dokuwiki | <= release_2009-02-14 | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
| dokuwiki | dokuwiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /lib/plugins/acl/ajax.php containing query parameters 'cmd[save]', 'cmd[del]', or 'cmd[update]' from unauthenticated or non-admin sessions, indicating unauthorized ACL manipulation attempts. ↗
- →Detect directory traversal attempts against the ACL ajax endpoint via the 'ns' parameter containing '../' sequences (e.g., ?ajax=tree&ns=../pages/). ↗
- →Alert on modifications to acl.auth.php on the filesystem, which is the target file written by the exploit to add, delete, or update ACL authorization entries. ↗
- →Flag requests to /lib/plugins/acl/ajax.php with 'acl_w=@ALL' in the query string, as this grants read/write access to all users and is a strong indicator of exploitation. ↗
- →This vulnerability was exploited in the wild in January 2010; correlate web server logs from that period or ongoing for the specific URI patterns against unpatched DokuWiki 2009-12-25 installations. ↗
- ·The vulnerable path differs between the two PoC patterns: one uses '/plugins/acl/ajax.php' (directory traversal PoC) and the other uses '/lib/plugins/acl/ajax.php' (ACL manipulation PoC). Detection rules should cover both path variants. ↗
- ·The ACL permission values used in the exploit are numeric (1=read, 2=modified, 4=creation, 8=upload, 16=delete); detection logic should account for these specific integer values in the 'acl' parameter. ↗
- ·A related but separate CSRF vulnerability (CVE-2010-0289) also affects the ACL manager; the fix for CVE-2010-0288 (version 2009-12-25b) does not address CSRF, which was patched in version 2009-12-25c. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fx5h-623c-jvh7: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax
ghsa_unreviewed·2022-05-02
CVE-2010-0288 [HIGH] GHSA-fx5h-623c-jvh7: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
OSV
CVE-2010-0288: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax
osv·2010-02-15·CVSS 7.5
CVE-2010-0288 [HIGH] CVE-2010-0288: A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
Red Hat
dokuwiki: multiple vulnerabilities in ACL manager
vendor_redhat·2010-01-17·CVSS 7.5
CVE-2010-0288 [HIGH] dokuwiki: multiple vulnerabilities in ACL manager
dokuwiki: multiple vulnerabilities in ACL manager
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
Debian
CVE-2010-0288: dokuwiki - A typo in the administrator permission check in the ACL Manager plugin (plugins/...
vendor_debian·2010·CVSS 7.5
CVE-2010-0288 [HIGH] CVE-2010-0288: dokuwiki - A typo in the administrator permission check in the ACL Manager plugin (plugins/...
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
Scope: local
bookworm: resolved (fixed in 0.0.20090214b-3.1)
bullseye: resolved (fixed in 0.0.20090214b-3.1)
forky: resolved (fixed in 0.0.20090214b-3.1)
sid: resolved (fixed in 0.0.20090214b-3.1)
trixie: resolved (fixed in 0.0.20090214b-3.1)
No detection rules found.
http://bugs.splitbrain.org/index.php?do=details&task_id=1847http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.htmlhttp://osvdb.org/61710http://secunia.com/advisories/38183http://security.gentoo.org/glsa/glsa-201301-07.xmlhttp://www.debian.org/security/2010/dsa-1976http://www.exploit-db.com/exploits/11141http://www.securityfocus.com/bid/37820http://www.splitbrain.org/blog/2010-01/17-dokuwiki-securityhttp://www.vupen.com/english/advisories/2010/0150https://exchange.xforce.ibmcloud.com/vulnerabilities/55661http://bugs.splitbrain.org/index.php?do=details&task_id=1847http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.htmlhttp://osvdb.org/61710http://secunia.com/advisories/38183http://security.gentoo.org/glsa/glsa-201301-07.xmlhttp://www.debian.org/security/2010/dsa-1976http://www.exploit-db.com/exploits/11141http://www.securityfocus.com/bid/37820http://www.splitbrain.org/blog/2010-01/17-dokuwiki-securityhttp://www.vupen.com/english/advisories/2010/0150https://exchange.xforce.ibmcloud.com/vulnerabilities/55661
2010-02-15
Published
Exploited in the wild