CVE-2012-3354: Infoleak
First published: Mon Jun 25 2012(Updated: )
A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially-crafted HTTP POST request. References: [1] <a href="http://www.openwall.com/lists/oss-security/2012/06/24/2">http://www.openwall.com/lists/oss-security/2012/06/24/2</a> [2] <a href="http://www.openwall.com/lists/oss-security/2012/06/25/2">http://www.openwall.com/lists/oss-security/2012/06/25/2</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| DokuWiki | ||
| Red Hat Fedora | =16 | |
| Red Hat Fedora | =17 | |
| Red Hat Fedora | =18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2012/06/24/2
- http://www.openwall.com/lists/oss-security/2012/06/25/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=835149
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=835150
- https://bugzilla.redhat.com/show_bug.cgi?id=835145
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090755.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090899.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090938.html
- http://www.freelists.org/post/dokuwiki/Fwd-DokuWiki-Full-path-disclosure
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:073
Frequently Asked Questions
What is the severity of CVE-2012-3354?
CVE-2012-3354 has a medium severity rating due to its potential for information disclosure.
How do I fix CVE-2012-3354?
To fix CVE-2012-3354, update DokuWiki to the latest version where the flaw has been patched.
Who is affected by CVE-2012-3354?
CVE-2012-3354 impacts users of DokuWiki on specific versions of Fedora including 16, 17, and 18.
What type of vulnerability is CVE-2012-3354?
CVE-2012-3354 is a full path disclosure vulnerability that can expose sensitive path information.
Can CVE-2012-3354 be exploited remotely?
Yes, CVE-2012-3354 can be exploited remotely by an attacker when PHP error reporting is enabled.
- collector/redhat-bugzilla
- alias/CVE-2012-3354
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/dokuwiki
- canonical/dokuwiki
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/16
- version/red hat fedora/17
- version/red hat fedora/18