Mageia alert MGASA-2012-0362 (dokuwiki) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0362: dokuwiki-20121013-1.mga2
 (2/core) 
Date:
    	       Tue, 11 Dec 2012 23:02:15 +0100
Message-ID:
    	       <20121211220215.GA5574@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0362
Date: 	December 11th, 2012
Affected releases: 	2


Description:
Updated dokuwiki package fixes security vulnerabilities:

DokuWiki 2009-12-25c allows remote attackers to obtain sensitive
information via a direct request to a .php file, which reveals the
installation path in an error message, as demonstrated by
lib/tpl/index.php and certain other files (CVE-2011-3727).

A full path disclosure flaw was found in the way DokuWiki, a standards
compliant, simple to use Wiki, performed sanitization of HTTP POST
'prefix' input value prior passing it to underlying PHP substr() routine,
when the PHP error level has been enabled on the particular server.
A remote attacker could use this flaw to obtain full path location
of particular requested DokuWiki page by issuing a specially-crafted
HTTP POST request (CVE-2012-3354).


Updated Packages:
dokuwiki-20121013-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3727
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3354
http://lists.fedoraproject.org/pipermail/package-announce...
https://bugs.mageia.org/show_bug.cgi?id=7950
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)