Mandriva Linux Security Advisory : dokuwiki (MDVSA-2013:073)

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing a security update.

Description :

Updated dokuwiki package fixes security vulnerabilities :

DokuWiki 2009-12-25c allows remote attackers to obtain sensitive
information via a direct request to a .php file, which reveals the
installation path in an error message, as demonstrated by
lib/tpl/index.php and certain other files (CVE-2011-3727).

A full path disclosure flaw was found in the way DokuWiki, a standards
compliant, simple to use Wiki, performed sanitization of HTTP POST
'prefix' input value prior passing it to underlying PHP substr()
routine, when the PHP error level has been enabled on the particular
server. A remote attacker could use this flaw to obtain full path
location of particular requested DokuWiki page by issuing a specially
crafted HTTP POST request (CVE-2012-3354).

Solution :

Update the affected dokuwiki package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 66087 ()

Bugtraq ID: 56327
56328

CVE ID: CVE-2011-3727
CVE-2012-3354

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now