Advisory 04/2006: DokuWiki PHP code execution vulnerability in spellchecker



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-


Advisory: DokuWiki PHP code execution vulnerability in spellchecker
Release Date: 2006/06/05
Last Modified: 2006/06/05
Author: Stefan Esser [sesser@hardened-php.net]

Application: DokuWiki <= 2006/06/04
Severity: DokuWiki's spellchecker allows remote PHP code execution
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_042006.119.html


Overview:

Quote from http://www.dokuwiki.org/wiki:dokuwiki
"DokuWiki is a standards compliant, simple to use Wiki, mainly aimed
at creating documentation of any kind. It is targeted at developer
teams, workgroups and small companies. It has a simple but powerful
syntax which makes sure the datafiles remain readable outside the
Wiki and eases the creation of structured texts. All data is stored
in plain text files - no database is required."

During the evaluation of DokuWiki for a german/korean wiki of mine
a flaw in DokuWiki's spellchecker was discovered, that allows
injecting arbitrary PHP commands, by requesting a spellcheck on
PHP commands in 'complex curly syntax'.

Because the spellchecker is written as part of the AJAX functionality
of DokuWiki, it can be directly called by any website visitor,
without the need for a wiki account.


Details:

DokuWiki comes with an AJAX spellchecking service that can be
called by every visiting client without the need of authorization.

Unfortunately the spellchecking service used the /e modifier of
preg_replace() to handle links that are embedded in the text to
translate in an unsafe way.

// don't check links and medialinks for spelling errors
$string = preg_replace('/\{\{(.*?)(\|(.*?))?(\}\})/e',
'spaceslink("\\1","\\2")',$string);
$string = preg_replace('/\[\[(.*?)(\|(.*?))?(\]\])/e',
'spaceslink("\\1","\\2")',$string);

Therefore it is possible to request a spellcheck for a string like

[[{${phpinfo()}}]]

which will result in the evaluation of something like

spaceslink("{${phpinfo()}}",...);

This is PHP's 'complex curly syntax' which allows to put complex
expressions into string definitions.

It should be obvious that this can be used to execute any kind of
PHP code as long it does not include chars that are converted to
htmlentities beforehand. A possible statement, that also takes
care of magic_quotes_gpc setting would be

eval(base64_decode($_POST[1]))

The vulnerability is now fixed, according to our recommendation,
by having replaced the use of the unsafe /e modifier with a call
to the better suited preg_replace_callback() function.

Taking into account that exploiting this vulnerability is very
simple and thinking about the number of DokuWiki installations
it is very likely that a future worm will make use of this
vulnerability.


Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.


Disclosure Timeline:

04. June 2006 - Contacted DokuWiki developer by email
04. June 2006 - Vendor released DokuWiki update
05. June 2006 - Public Disclosure


Recommendation:

It is strongly recommended to upgrade to the newest version of
DokuWiki which you can download at:

http://www.splitbrain.org/projects/dokuwiki

Note: although the tarball is still labeled 2006-03-09 it
meanwhile contains the hotfix for this vulnerability


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEg/MKRDkUzAqGSqERAnV1AKDvE97DWauc+8lhbfrTjD8qSgKIgACgoxF9
NtzKYXXbo6zaoCvAxL+MWQ4=
=UGk5
-----END PGP SIGNATURE-----
© Hardened PHP Project