DokuWiki: Shell command injection and Denial of Service — GLSA 200609-20

DokuWiki is vulnerable to shell command injection and Denial of Service attacks when using ImageMagick.

Affected Packages

www-apps/dokuwiki on all architectures
Affected versions < 20060309e
Unaffected versions >= 20060309e

Background

DokuWiki is a wiki targeted at developer teams, workgroups and small companies. It does not use a database backend.

Description

Input validation flaws have been discovered in the image handling of fetch.php if ImageMagick is used, which is not the default method.

Impact

A remote attacker could exploit the flaws to execute arbitrary shell commands with the rights of the web server daemon or cause a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All DokuWiki users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309e"

References

Release Date
September 28, 2006

Latest Revision
December 13, 2006: 02

Severity
high

Exploitable
remote

Bugzilla entries