CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
86.9%
The remote web server is hosting a version of DokuWiki that is affected by a security bypass vulnerability in the ‘cmd[del]’, parameter of the ‘lib/plugins/acl/ajax.php’ script.
An attacker, exploiting this flaw, could modify modify the ACL settings for a specified user or group.
Note that this vulnerability may affect several other parameters and that the installed version of DokuWiki may also be affected by an information disclosure vulnerability, although Nessus has not tested for those issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(44059);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");
script_cve_id("CVE-2010-0288");
script_bugtraq_id(37820);
script_xref(name:"EDB-ID", value:"11141");
script_xref(name:"Secunia", value:"38183");
script_name(english:"DokuWiki ajax.php cmd[del] Parameter Security Bypass");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is hosting an application that is affected by a
security bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote web server is hosting a version of DokuWiki that is
affected by a security bypass vulnerability in the 'cmd[del]',
parameter of the 'lib/plugins/acl/ajax.php' script.
An attacker, exploiting this flaw, could modify modify the ACL
settings for a specified user or group.
Note that this vulnerability may affect several other parameters and that the
installed version of DokuWiki may also be affected by an information disclosure
vulnerability, although Nessus has not tested for those issues.");
script_set_attribute(attribute:"see_also", value:"https://www.dokuwiki.org/changes#release_2009-12-25b_lemming");
script_set_attribute(attribute:"solution", value:
"Upgrade to DokuWiki Release 2009-12-25b or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(264);
script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/15");
script_set_attribute(attribute:"patch_publication_date", value:"2010/01/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");
script_dependencies("dokuwiki_detect.nasl");
script_require_keys("www/dokuwiki", "www/PHP");
script_exclude_keys("Settings/disable_cgi_abuses");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0, "The web server on port "+port+" does not support PHP.");
install = get_install_from_kb(appname:'dokuwiki', port:port);
if (isnull(install)) exit(1, "DokuWiki wasn't detected on port "+port+".");
group = SCRIPT_NAME + unixtime();
url = install['dir'] + '/lib/plugins/acl/ajax.php?ajax=info&id=' + group + '&acl_w=@' + group + '&cmd[del]=1&acl=(ACL)';
res= http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);
if (
'Members of group <b class="aclgroup">' + group + '</b>' >< res[2] &&
' Read</label>' >< res[2] &&
' Edit</label>' >< res[2]
)
{
if (report_verbosity > 0)
{
report = get_vuln_report(items:url, port:port);
security_hole(port:port, extra:report);
}
else security_hole(port:port);
exit(0);
}
else exit(0, 'The DokuWiki install at '+build_url(port:port, qs:install['dir']+'/doku.php') + ' is not affected.');