A flaw in DokuWiki's spell checker allows for the execution of arbitrary PHP commands, even without proper authentication.
|Package||www-apps/dokuwiki on all architectures|
|Affected versions||< 20060309-r1|
|Unaffected versions||>= 20060309-r1|
DokuWiki is a simple to use wiki targeted at developer teams, workgroups and small companies.
Stefan Esser discovered that the DokuWiki spell checker fails to properly sanitize PHP's "complex curly syntax".
A unauthenticated remote attacker may execute arbitrary PHP commands - and thus possibly arbitrary system commands - with the permissions of the user running the webserver that serves DokuWiki pages.
There is no known workaround at this time.
All DokuWiki users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309-r1"
June 14, 2006
June 14, 2006: 01