oss-sec mailing list archives

Re: CVE request: dokuwiki

From: Josh Bressers <bressers () redhat com>
Date: Tue, 19 Jan 2010 15:19:37 -0500 (EST)

----- "Giuseppe Iuculano" <iuculano () debian org> wrote:

Hi,

Multiple vulnerabilities have been discovered in DokuWiki.

References:
http://secunia.com/advisories/38183/
http://secunia.com/advisories/38205/
http://bugs.splitbrain.org/index.php?do=details&task_id=1847
http://bugs.splitbrain.org/index.php?do=details&task_id=1853
http://www.exploit-db.com/exploits/11141
http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security


I'm using this as my reference:
https://bugzilla.redhat.com/show_bug.cgi?id=556494#c6

http://bugs.splitbrain.org/index.php?do=details&task_id=1847
http://secunia.com/advisories/38183/
- directory structure information leak
- insufficient permissions checks, allowing attacker to change ACLs

http://bugs.splitbrain.org/index.php?do=details&task_id=1853
http://secunia.com/advisories/38205/
- missing CSRF protections in ACL manager

So for CVE assignment:

CVE-2010-0287
- directory structure information leak

CVE-2010-0288
- insufficient permissions checks, allowing attacker to change ACLs


CVE-2010-0289
- missing CSRF protections in ACL manager

Thanks.

-- 
    JB

Current thread:

CVE request: dokuwiki Giuseppe Iuculano (Jan 17)
- Re: CVE request: dokuwiki Josh Bressers (Jan 19)
  - Re: CVE request: dokuwiki Solar Designer (Jan 19)