Mandriva Linux Security Advisory : dokuwiki (MDVSA-2013:073)

medium Nessus Plugin ID 66087

Synopsis

The remote Mandriva Linux host is missing a security update.

Description

Updated dokuwiki package fixes security vulnerabilities :

DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/tpl/index.php and certain other files (CVE-2011-3727).

A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially crafted HTTP POST request (CVE-2012-3354).

Solution

Update the affected dokuwiki package.

Plugin Details

Severity: Medium

ID: 66087

File Name: mandriva_MDVSA-2013-073.nasl

Version: 1.9

Type: local

Published: 4/20/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:dokuwiki, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/8/2013

Reference Information

CVE: CVE-2011-3727, CVE-2012-3354

BID: 56327, 56328

MDVSA: 2013:073

MGASA: 2012-0362